Improper access control in XWiki platform - CVE-2023-29526
Published: April 18, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129956
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29526
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to disclose sensitive information and interact with restricted documents.
The vulnerability exists due to improper access control in the async and display macros when rendering comment content in comments viewer mode. A remote user can create a comment containing crafted macro content to disclose sensitive information and interact with restricted documents.
Exploitation requires comment rights for the attacking user and use of the comments viewer.
Remediation
Install security update from vendor's website.