Eval Injection in XWiki platform - CVE-2023-29512

 

Eval Injection in XWiki platform - CVE-2023-29512

Published: April 18, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129972
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29512
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in imported.vm, importinline.vm, and packagelist.vm when loading information from attachments. A remote user can place crafted attachment content on a page they can edit to execute arbitrary code.

The affected page is installed by default, and successful exploitation can lead to full access to the XWiki installation.


How to mitigate CVE-2023-29512

Install security update from vendor's website.

Sources