CVE-2023-29213

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-29213

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29213.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-29213

Aliases

GHSA-4655-wh7v-3vmg

Published

2023-04-17T21:21:40.977Z

Modified

2025-11-19T20:01:18.203580Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

org.xwiki.platform:xwiki-platform-logging-ui Injection vulnerability

Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of org.xwiki.platform:xwiki-platform-logging-ui it is possible to trick a user with programming rights into visiting a constructed url where e.g., by embedding an image with this URL in a document that is viewed by a user with programming rights which will evaluate an expression in the constructed url and execute it. This issue has been addressed in versions 13.10.11, 14.4.7, and 14.10. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cwe_ids": [
        "CWE-74"
    ]
}

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8d72461ba6976af6005e2df511bdeeeb17ef2d74

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

49fdfd633ddfa346c522d2fe71754dc72c9496ca

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2

xwiki-platform-7.4-milestone-1

xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1

xwiki-platform-8.0-milestone-2

xwiki-platform-8.1-milestone-1

xwiki-platform-8.1-milestone-2

xwiki-platform-8.2-milestone-1

xwiki-platform-8.2-milestone-2

xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-test/xwiki-platform-test-page/src/main/java/org/xwiki/test/page/LocalizationSetup.java",
            "function": "getVarArgs"
        },
        "digest": {
            "length": 283.0,
            "function_hash": "315286390476560687272453536930064026798"
        },
        "source": "https://github.com/xwiki/xwiki-platform/commit/49fdfd633ddfa346c522d2fe71754dc72c9496ca",
        "signature_version": "v1",
        "id": "CVE-2023-29213-3f101cbc",
        "deprecated": false,
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-test/xwiki-platform-test-page/src/main/java/org/xwiki/test/page/LocalizationSetup.java"
        },
        "digest": {
            "line_hashes": [
                "176324396711211886494347181056334423121",
                "208815639966157117305790925315775370254",
                "299092216223497310377284565810113052534",
                "267801404528191722036628386496306462673",
                "165947896578475439629891919407642960487",
                "81050904693582358759861448033977643256",
                "299705932300590837945496346937078218235",
                "224149787815639230531740337014136409631",
                "139488914777591427271315264436546035611",
                "46751376020254040305439807272413809004"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/xwiki/xwiki-platform/commit/49fdfd633ddfa346c522d2fe71754dc72c9496ca",
        "signature_version": "v1",
        "id": "CVE-2023-29213-7a129747",
        "deprecated": false,
        "signature_type": "Line"
    }
]