CVE-2023-29526
CRITICALXWiki Platform 10.11.1-13.10.11 - Remote Code Execution via Async and Display Macros
Title source: llmDescription
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed providing a code injection vector in the context of the running server. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.
References (3)
Core 3
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gpq5-7p34-vqx5
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XRENDERING-694
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20394
Scores
CVSS v3
9.9
EPSS
0.2251
EPSS Percentile
95.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (3)
org.xwiki.platform/xwiki-platform-oldcore
10.11.1 - 13.10.11Maven
org.xwiki.platform/xwiki-platform-rendering-async-macro
10.11.1 - 13.10.11Maven
xwiki/xwiki
10.11.1 - 13.10.11
Published
Apr 19, 2023
Tracked Since
Feb 18, 2026