Main Vulnerability Database Vulnerabilities #VU129969

Incorrect Privilege Assignment in XWiki platform - CVE-2023-29515

Published: April 18, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129969

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-29515

CWE-ID: CWE-266

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to inject malicious JavaScript.

The vulnerability exists due to incorrect privilege assignment in App Within Minutes when creating an app. A remote user can create an app or directly open the CreateApplication wizard endpoint to inject malicious JavaScript.

The issue occurs because creating an app can grant space admin rights, which imply script rights.

Remediation

Install security update from vendor's website.

External links

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-44h9-xxvx-pg6x
https://github.com/xwiki/xwiki-platform/commit/e73b890623efa604adc484ad82f37e31596fe1a6

Incorrect Privilege Assignment in XWiki platform - CVE-2023-29515

Description

Remediation

External links

Please verify you're human