Main Vulnerability Database Vulnerabilities #VU129935

Eval Injection in XWiki platform - CVE-2023-37914

Published: August 17, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129935

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37914

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: XWiki

Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the invitation application subject and message preview handling when processing user-supplied invitation subject or message content. A remote user can submit specially crafted macro content to execute arbitrary code.

The issue affects users who can view Invitation.WebHome, and exploitation can provide unrestricted read and write access to wiki contents.

How to mitigate CVE-2023-37914

Install security update from vendor's website.

Eval Injection in XWiki platform - CVE-2023-37914

Detailed vulnerability description

How to mitigate CVE-2023-37914

Sources

Please verify you're human