CVE-2023-29521: Code injection from account/view through VFS Tree macro in xwiki-platform
First published: Tue Apr 18 2023(Updated: )
### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default. See https://jira.xwiki.org/browse/XWIKI-20260 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12) on `Macro.VFSTreeMacro`. ### References - https://jira.xwiki.org/browse/XWIKI-20260 - https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | <13.10.11 | |
| Xwiki Xwiki | >=14.0<14.4.8 | |
| Xwiki Xwiki | >=14.5<14.10.2 | |
| maven/org.xwiki.platform:xwiki-platform-vfs-ui | >=14.5<14.10.2 | 14.10.2 |
| maven/org.xwiki.platform:xwiki-platform-vfs-ui | >=14.0-rc-1<14.4.8 | 14.4.8 |
| maven/org.xwiki.platform:xwiki-platform-vfs-ui | >=7.4-milestone-2<13.10.11 | 13.10.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p67q-h88v-5jgr
- https://jira.xwiki.org/browse/XWIKI-20260
- https://nvd.nist.gov/vuln/detail/CVE-2023-29521
- https://github.com/advisories/GHSA-p67q-h88v-5jgr (Advisory)
Frequently Asked Questions
What is CVE-2023-29521?
CVE-2023-29521 is a vulnerability in XWiki Platform that allows any user with view rights to execute arbitrary Groovy, Python, or Velocity code, leading to full access to the XWiki installation.
What is the severity of CVE-2023-29521?
CVE-2023-29521 has a severity score of 8.8, which is considered high.
How can the CVE-2023-29521 vulnerability be exploited?
The CVE-2023-29521 vulnerability can be exploited by any user with view rights executing arbitrary Groovy, Python, or Velocity code in XWiki.
Which software versions are affected by CVE-2023-29521?
XWiki versions up to 13.10.11 and versions between 14.0 and 14.4.8 are affected by CVE-2023-29521.
Is there a fix for CVE-2023-29521?
Yes, a fix for CVE-2023-29521 is available. It is recommended to update to XWiki version 14.4.8 (for versions up to 13.10.11) or version 14.10.2 (for versions between 14.0 and 14.4.8).
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-p67q-h88v-5jgr
- alias/CVE-2023-29521
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/title
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- agent/tags
- agent/first-publish-date
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/14.0
- version/xwiki xwiki/14.5
- package-manager/maven