Main Vulnerability Database Vulnerabilities #VU129987

Eval Injection in XWiki platform - CVE-2023-29210

Published: April 12, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129987

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-29210

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the notification preferences macros when processing the user parameter. A remote user can inject crafted macro input to execute arbitrary code.

The affected macros are used in user profiles and are installed by default in XWiki.

Remediation

Install security update from vendor's website.

External links

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9mj-v5mf-m82x
https://github.com/xwiki/xwiki-platform/commit/cebf9167e4fd64a8777781fc56461e9abbe0b32a

Eval Injection in XWiki platform - CVE-2023-29210

Description

Remediation

External links

Please verify you're human