Improper access control in XWiki platform - CVE-2023-40573
Published: August 23, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129921
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-40573
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in Groovy scheduled jobs when checking the content author for programming right and triggering jobs through the scheduler. A remote user can create or modify a Groovy job in a document whose content was last changed by a user with programming right and trigger it via a crafted request to execute arbitrary code.
User interaction is required, and exploitation requires edit right on a document whose content was last changed by a user with programming right.
How to mitigate CVE-2023-40573
Install security update from vendor's website.