Eval Injection in XWiki platform - CVE-2023-36469
Published: June 29, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129933
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-36469
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script macros.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in NotificationRSSService when generating the RSS feed from user-controlled profile and notification data. A remote user can inject crafted macro code into profile fields to execute arbitrary script macros.
This can lead to unrestricted read and write access to all wiki contents.
How to mitigate CVE-2023-36469
Install security update from vendor's website.