Information disclosure in XWiki platform - CVE-2023-29517

 

Information disclosure in XWiki platform - CVE-2023-29517

Published: April 18, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129967
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29517
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the office document viewer macro when handling document viewing requests through a connected office server. A remote attacker can access file contents from the hosting server to disclose sensitive information.

The issue depends on the office server being connected, and the accessible data depends on the permissions of the user running the servlet engine hosting XWiki.


How to mitigate CVE-2023-29517

Install security update from vendor's website.

Sources