Login Sign Up

CVE-2023-29518

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows any user with view rights in XWiki Platform to execute arbitrary Groovy, Python, or Velocity code, leading to full compromise of the XWiki installation. The issue stems from improper escaping in the Invitation.InvitationCommon page, which is installed by default. All XWiki installations with vulnerable versions are affected.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: All versions before 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerable Invitation.InvitationCommon page is installed by default. Any user with view rights can exploit this vulnerability.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise: attacker gains administrative access to XWiki, can execute arbitrary code on the server, access/modify all data, and potentially pivot to other systems.

🟠

Likely Case

Data breach and system takeover: attacker accesses sensitive wiki content, modifies pages, installs backdoors, and gains persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege access controls are implemented, though code execution would still be possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires view rights but no authentication beyond that. The vulnerability is in a default component and code execution is straightforward once the flaw is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XWiki 15.0-rc-1, 14.10.1, 14.4.8, or 13.10.11

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-px54-3w5j-qjg9

Restart Required: Yes

Instructions:

1. Backup your XWiki installation and database. 2. Download the patched version from xwiki.org. 3. Stop the XWiki service. 4. Replace the installation with the patched version. 5. Restart the XWiki service. 6. Verify the fix by checking the version.

🧯 If You Can't Patch

  • Restrict access to only trusted users with view rights
  • Implement network-level controls to limit access to XWiki from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via Admin → About or by examining the installation directory. If version is before 15.0-rc-1, 14.10.1, 14.4.8, or 13.10.11, you are vulnerable.

Check Version:

Check the XWiki web interface at Admin → About or examine the xwiki-version.properties file in the installation directory.

Verify Fix Applied:

After patching, verify the version shows one of the fixed versions: 15.0-rc-1, 14.10.1, 14.4.8, or 13.10.11.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Groovy/Python/Velocity script execution in logs
  • Access to Invitation.InvitationCommon page by non-admin users
  • Unexpected administrative actions from non-admin accounts

Network Indicators:

  • Unusual outbound connections from XWiki server
  • Traffic patterns indicating code execution

SIEM Query:

source="xwiki.log" AND ("Groovy" OR "Python" OR "Velocity") AND "execution"

📊 Metadata

CVE ID: CVE-2023-29518
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-74
Published: April 19, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29518, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)