Incorrect authorization in XWiki platform - CVE-2023-41046
Published: September 1, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129919
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-41046
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and modify data.
The vulnerability exists due to improper access control in TextArea properties with the "VelocityCode" or "VelocityWiki" content type when adding the property to an object. A remote user can create an XClass with such a property to disclose sensitive information and modify data.
For the "VelocityCode" case, the document syntax must be set to xwiki/1.0. The executed code runs with the context author and cannot access privileged APIs.
How to mitigate CVE-2023-41046
Install security update from vendor's website.