CVE-2023-29507

CRITICAL

XWiki Commons - Info Disclosure

Title source: llm

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

References (3)

[Vendor Advisory] https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c

[Patch] https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83

View Patch ZIP pw:eip

[Issue Tracking] https://jira.xwiki.org/browse/XWIKI-20380

Scores

CVSS v3 9.1

EPSS 0.0994

EPSS Percentile 93.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-648

Status published

Products (3)

org.xwiki.platform/xwiki-platform-oldcore 14.5 - 14.10Maven

xwiki/xwiki 14.10 rc1

xwiki/xwiki 14.4.1 - 14.4.7

Published Apr 16, 2023

Tracked Since Feb 18, 2026