Eval Injection in XWiki platform - CVE-2023-29510
Published: April 18, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129974
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29510
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the localization script when processing user-scoped translations in privileged contexts without escaping. A remote user can add a crafted translation that overrides an existing translation to execute arbitrary code.
Exploitation requires edit access on at least one document, which can be the user's own profile where edit access is enabled by default.
Remediation
Install security update from vendor's website.