Improper access control in XWiki platform - CVE-2023-29526

 

Improper access control in XWiki platform - CVE-2023-29526

Published: April 18, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129956
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29526
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and interact with restricted documents.

The vulnerability exists due to improper access control in the async and display macros when rendering comment content in comments viewer mode. A remote user can create a comment containing crafted macro content to disclose sensitive information and interact with restricted documents.

Exploitation requires comment rights for the attacking user and use of the comments viewer.


How to mitigate CVE-2023-29526

Install security update from vendor's website.

Sources