Eval Injection in XWiki platform - CVE-2023-29519
Published: April 18, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129966
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-29519
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the attachment selector when processing the "property" field of an attachment selector as a gadget of the attacker's own dashboard. A remote attacker can inject crafted code in the "property" field to execute arbitrary code.
The issue can lead to privilege escalation. Comments of a wiki are not affected.
Remediation
Install security update from vendor's website.