Eval Injection in XWiki platform - CVE-2023-29509
Published: April 12, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129976
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29509
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the documentTree macro parameters in FlamingoThemesCode.WebHome when processing a crafted request URL. A remote user can supply crafted macro input to execute arbitrary code.
The issue can lead to privilege escalation from view rights to programming rights, resulting in full access to the XWiki installation.
Remediation
Install security update from vendor's website.