Incorrect authorization in XWiki platform - CVE-2023-32069

 

Incorrect authorization in XWiki platform - CVE-2023-32069

Published: May 9, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129950
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-32069
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to incorrect authorization in the XWiki.ClassSheet document handling when rendering a user profile containing a DocumentSheetBinding object bound to the Default Class Sheet. A remote user can add a DocumentSheetBinding object to their profile and inject crafted Groovy macro content to execute arbitrary code.

The code is executed with the rights of the author of the XWiki.ClassSheet document.


How to mitigate CVE-2023-32069

Install security update from vendor's website.

Sources