Incorrect Use of Privileged APIs in XWiki platform - CVE-2023-29507

 

Incorrect Use of Privileged APIs in XWiki platform - CVE-2023-29507

Published: April 12, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129978
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-29507
CWE-ID: CWE-648
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to incorrect use of privileged APIs in the Document script API when returning a DocumentAuthors object to scripts. A remote privileged user can set arbitrary document authors to escalate privileges.

This can lead to subsequent script executions being evaluated with the modified author for rights checking.


How to mitigate CVE-2023-29507

Install security update from vendor's website.

Sources