Main Vulnerability Database Vulnerabilities #VU129984

Eval Injection in XWiki platform - CVE-2023-29212

Published: April 12, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129984

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29212

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the IncludedPagesDocumentInformation included documents edit panel when rendering included pages. A remote user can edit a document containing specially crafted content to execute arbitrary code.

This can lead to full access to the XWiki installation.

Remediation

Install security update from vendor's website.

Eval Injection in XWiki platform - CVE-2023-29212

Description

Remediation

External links

Please verify you're human