Eval Injection in XWiki platform - CVE-2023-29209
Published: April 12, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129988
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-29209
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the legacy notification activity macro when processing crafted macro parameters. A remote user can supply crafted macro input to execute arbitrary code.
The issue can be exploited through editable wiki pages, and it can also be reached with only view rights via the HTMLConverter in the bundled CKEditor integration.
Remediation
Install security update from vendor's website.