Incorrect authorization in XWiki platform - CVE-2023-46243
Published: November 7, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129932
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-46243
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code with the rights of an existing document's content author.
The vulnerability exists due to incorrect authorization in the edit action when handling edit requests with user-supplied content. A remote user can send a specially crafted edit URL to execute arbitrary code with the rights of an existing document's content author.
Exploitation requires edit rights on a document whose content author has programming right or script right.
How to mitigate CVE-2023-46243
Install security update from vendor's website.