critical
10
CWE
74
Advisory Published
Advisory Published
Updated

CVE-2023-29524: Code injection from account through XWiki.SchedulerJobSheet in xwiki-platform

First published: Tue Apr 18 2023(Updated: )

### Impact It's possible to execute anything with the right of the Scheduler Application sheet page. To reproduce: 1. As a user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass (search for "Scheduler") 1. In "Job Script", add the following ```{{/code}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy} {{/async}}``` 1. Click "Save & View" 1. If the job information isn't already displayed (you should see "Job Name", "Job Description", etc.), append ?sheet=XWiki.SchedulerJobSheet to the URL. ### Patches This has been patched in XWiki 14.10.3 and 15.0 RC1. ### Workarounds While the fix in the scheduler itself is easy, it relies on the code macro `source` parameter, which was introduced in 14.10.2 so you have to upgrade to benefit from it. ### References https://jira.xwiki.org/browse/XWIKI-20295 https://jira.xwiki.org/browse/XWIKI-20462 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Xwiki Xwiki<14.10.3
maven/org.xwiki.platform:xwiki-platform-scheduler-ui>=2.0.1<14.10.3
14.10.3

Remedy

https://jira.xwiki.org/browse/XWIKI-20295

Remedy

https://jira.xwiki.org/browse/XWIKI-20462

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-29524?

    CVE-2023-29524 is a vulnerability in XWiki Platform that allows an attacker to execute arbitrary code with the permissions of the Scheduler Application sheet page.

  • How severe is CVE-2023-29524?

    CVE-2023-29524 has a severity rating of 8.8 out of 10, which is considered critical.

  • How does CVE-2023-29524 affect XWiki Platform?

    CVE-2023-29524 affects XWiki Platform versions up to and excluding 14.10.3.

  • How can CVE-2023-29524 be exploited?

    CVE-2023-29524 can be exploited by a user without script or programming rights by editing their user profile with the object editor and adding a new malicious code.

  • Is there a fix available for CVE-2023-29524?

    Yes, a fix is available for CVE-2023-29524. It is recommended to update XWiki Platform to version 14.10.3 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203