Main Vulnerability Database Vulnerabilities #VU129970

Eval Injection in XWiki platform - CVE-2023-29514

Published: April 18, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129970

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29514

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in template provider administration when processing document titles in the administration template listing. A remote user can set a crafted document title, add an XWiki.TemplateProviderClass object to a document they can edit, and access the administration templates sheet to execute arbitrary code.

Exploitation requires edit rights on a document and the ability to add a Template Provider Class object.

Remediation

Install security update from vendor's website.

Eval Injection in XWiki platform - CVE-2023-29514

Description

Remediation

External links

Please verify you're human