Main Vulnerability Database Vulnerabilities #VU129950

Incorrect authorization in XWiki platform - CVE-2023-32069

Published: May 9, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129950

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-32069

CWE-ID: CWE-863

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to incorrect authorization in the XWiki.ClassSheet document handling when rendering a user profile containing a DocumentSheetBinding object bound to the Default Class Sheet. A remote user can add a DocumentSheetBinding object to their profile and inject crafted Groovy macro content to execute arbitrary code.

The code is executed with the rights of the author of the XWiki.ClassSheet document.

Remediation

Install security update from vendor's website.

Incorrect authorization in XWiki platform - CVE-2023-32069

Description

Remediation

External links

Please verify you're human