Eval Injection in XWiki platform - CVE-2023-29512
Published: April 18, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129972
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29512
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in imported.vm, importinline.vm, and packagelist.vm when loading information from attachments. A remote user can place crafted attachment content on a page they can edit to execute arbitrary code.
The affected page is installed by default, and successful exploitation can lead to full access to the XWiki installation.
Remediation
Install security update from vendor's website.