Eval Injection in XWiki platform - CVE-2023-29516

 

Eval Injection in XWiki platform - CVE-2023-29516

Published: April 18, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129968
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29516
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the XWiki.AttachmentSelector page when processing the "Cancel and return to page" button input. A remote user can send a specially crafted value to execute arbitrary code.

This page is installed by default.


How to mitigate CVE-2023-29516

Install security update from vendor's website.

Sources