CVE-2023-29527

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-29527

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29527.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-29527

Aliases

GHSA-jgrg-qvpp-9vwr

Published

2023-04-18T22:53:41.740Z

Modified

2026-03-14T12:05:16.465347Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Code injection from account through AWM view sheet in xwiki platform

Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing the document after saving it will execute the groovy script in the server context which provides code execution. This vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.3. Users are advised to upgrade. There are no known workarounds for this issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-74"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/29xxx/CVE-2023-29527.json"
}

References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0b34ba50be456d548054f8a5e0a61c16927e1111

Fixed

a5bb704d3517251bc86e46ea0370ba800adb6a4e

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29527.json"