CVE-2023-29519

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-29519

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29519.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-29519

Aliases

GHSA-3hjg-cghv-22ww

Published

2023-04-18T23:31:09Z

Modified

2025-10-14T14:34:15Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Code injection in org.xwiki.platform:xwiki-platform-attachment-ui

Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

08e0887f0362b21614e6bfcb5be7e1f568659c41

Database specific

{
    "unresolved_versions": [
        {
            "type": "",
            "events": [
                {
                    "introduced": "14.0.0"
                },
                {
                    "fixed": "14.4.8"
                }
            ]
        },
        {
            "type": "",
            "events": [
                {
                    "introduced": "14.5.0"
                },
                {
                    "fixed": "14.10.2"
                }
            ]
        }
    ]
}