Eval Injection in XWiki platform - CVE-2023-36470
Published: June 29, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129940
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-36470
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in icon themes when rendering icon sets from created or edited documents. A remote user can inject XWiki syntax and Velocity code to execute arbitrary code.
The injected code can be executed with programming rights, impacting the confidentiality, integrity, and availability of the whole XWiki instance.
How to mitigate CVE-2023-36470
Install security update from vendor's website.