Eval Injection in XWiki platform - CVE-2023-29511

 

Eval Injection in XWiki platform - CVE-2023-29511

Published: April 12, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129973
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29511
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWiki.AdminFieldsDisplaySheet when processing section ids. A remote user can inject crafted section ids to execute arbitrary code.

The issue can lead to full access to the XWiki installation, and the affected page is installed by default.


How to mitigate CVE-2023-29511

Install security update from vendor's website.

Sources