Eval Injection in XWiki platform - CVE-2023-29514

 

Eval Injection in XWiki platform - CVE-2023-29514

Published: April 18, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129970
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29514
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in template provider administration when processing document titles in the administration template listing. A remote user can set a crafted document title, add an XWiki.TemplateProviderClass object to a document they can edit, and access the administration templates sheet to execute arbitrary code.

Exploitation requires edit rights on a document and the ability to add a Template Provider Class object.


How to mitigate CVE-2023-29514

Install security update from vendor's website.

Sources