Main Vulnerability Database Vulnerabilities #VU129928

Incorrect Privilege Assignment in XWiki platform - CVE-2023-36468

Published: June 29, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129928

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-36468

CWE-ID: CWE-266

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: XWiki

Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to incorrect privilege assignment in old document revisions when accessing a vulnerable document revision through the rev URL parameter. A remote user can request an old vulnerable revision of a document to execute arbitrary code.

This affects upgraded installations and can also affect manually added script macros whose vulnerable versions remain in document history. Fresh installations are not affected, and content that is only loaded from the current version of a document is not affected.

How to mitigate CVE-2023-36468

Install security update from vendor's website.

Incorrect Privilege Assignment in XWiki platform - CVE-2023-36468

Detailed vulnerability description

How to mitigate CVE-2023-36468

Sources

Please verify you're human