CVE-2023-29211
CRITICALXWiki < 13.10.11 - Authenticated Remote Code Execution via Improper WikiId Parameter Escaping
Title source: llmDescription
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
References (3)
Core 3
Core References
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64
Exploit, Issue Tracking x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20297
Scores
CVSS v3
9.9
EPSS
0.0119
EPSS Percentile
63.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-95
CWE-94
Status
published
Products (3)
org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki
5.3-milestone-2 - 13.10.11Maven
xwiki/xwiki
14.10 rc1
xwiki/xwiki
< 13.10.11
Published
Apr 16, 2023
Tracked Since
Feb 18, 2026