Main Vulnerability Database Vulnerabilities #VU129973

Eval Injection in XWiki platform - CVE-2023-29511

Published: April 12, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129973

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29511

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWiki.AdminFieldsDisplaySheet when processing section ids. A remote user can inject crafted section ids to execute arbitrary code.

The issue can lead to full access to the XWiki installation, and the affected page is installed by default.

Remediation

Install security update from vendor's website.

External links

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rfh6-mg6h-h668
https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede

Eval Injection in XWiki platform - CVE-2023-29511

Description

Remediation

External links

Please verify you're human