Information disclosure in XWiki platform - CVE-2023-29517
Published: April 18, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129967
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29517
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the office document viewer macro when handling document viewing requests through a connected office server. A remote attacker can access file contents from the hosting server to disclose sensitive information.
The issue depends on the office server being connected, and the accessible data depends on the permissions of the user running the servlet engine hosting XWiki.
Remediation
Install security update from vendor's website.