Eval Injection in XWiki platform - CVE-2023-27479
Published: March 7, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129986
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-27479
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary Groovy, Python or Velocity code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in UIX parameter handling in PanelsCode.ApplicationsPanelConfigurationSheet when processing extension parameters. A remote user can add an XWiki.UIExtensionClass xobject with crafted extension parameters to execute arbitrary Groovy, Python or Velocity code.
Exploitation requires view rights.
How to mitigate CVE-2023-27479
Install security update from vendor's website.