Eval Injection in XWiki platform - CVE-2023-40177
Published: August 21, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129934
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-40177
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary scripts with programming rights.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the AppWithinMinutes content field displayer when rendering the content field of a user profile page. A remote user can place crafted script content in their profile content field to execute arbitrary scripts with programming rights.
The issue affects cases where a wiki page, including a user profile page, is used as an AWM Content field and the content is executed with the rights of the AppWithinMinutes.Content author instead of the content author.
How to mitigate CVE-2023-40177
Install security update from vendor's website.