Incorrect Privilege Assignment in XWiki platform - CVE-2023-29515

 

Incorrect Privilege Assignment in XWiki platform - CVE-2023-29515

Published: April 18, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129969
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-29515
CWE-ID: CWE-266
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to inject malicious JavaScript.

The vulnerability exists due to incorrect privilege assignment in App Within Minutes when creating an app. A remote user can create an app or directly open the CreateApplication wizard endpoint to inject malicious JavaScript.

The issue occurs because creating an app can grant space admin rights, which imply script rights.


How to mitigate CVE-2023-29515

Install security update from vendor's website.

Sources