Main Vulnerability Database Vulnerabilities #VU129978

Incorrect Use of Privileged APIs in XWiki platform - CVE-2023-29507

Published: April 12, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129978

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-29507

CWE-ID: CWE-648

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to incorrect use of privileged APIs in the Document script API when returning a DocumentAuthors object to scripts. A remote privileged user can set arbitrary document authors to escalate privileges.

This can lead to subsequent script executions being evaluated with the modified author for rights checking.

Remediation

Install security update from vendor's website.

External links

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83

Incorrect Use of Privileged APIs in XWiki platform - CVE-2023-29507

Description

Remediation

External links

Please verify you're human