Login Sign Up

CVE-2023-29522

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-29522 is a critical remote code execution vulnerability in XWiki Platform that allows any user with view rights to execute arbitrary script macros (including Groovy and Python) by crafting malicious page names. This gives attackers unrestricted read/write access to all wiki content and full server compromise capabilities. All XWiki instances with vulnerable versions are affected.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: All versions before 14.4.8, 14.10.3, and 15.0RC1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any XWiki instance with default or custom configurations is vulnerable if running affected versions.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover, data exfiltration, lateral movement to other systems, and persistent backdoor installation.

🟠

Likely Case

Unauthorized data access/modification, privilege escalation to admin, and installation of web shells for persistent access.

🟢

If Mitigated

Limited to authenticated users only, but still allows full wiki compromise and potential server access.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires only view rights (not edit/admin), making it highly accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.4.8, 14.10.3, or 15.0RC1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mjw9-3f9f-jq2w

Restart Required: Yes

Instructions:

1. Backup your XWiki instance. 2. Download patched version from xwiki.org. 3. Stop XWiki service. 4. Replace with patched version. 5. Restart XWiki service. 6. Verify version update.

🔧 Temporary Workarounds

No known workarounds

all

The vendor states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

  • Immediately restrict access to only trusted users and monitor for suspicious activity
  • Implement network segmentation and isolate the XWiki instance from critical systems

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via admin interface or by examining installation files

Check Version:

Check XWiki admin dashboard or examine WEB-INF/xwiki.properties file

Verify Fix Applied:

Verify version is 14.4.8, 14.10.3, or 15.0RC1 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual page creation attempts with special characters
  • Failed page access attempts with crafted names
  • Execution of script macros from unexpected sources

Network Indicators:

  • Unusual outbound connections from XWiki server
  • Large data transfers from wiki database

SIEM Query:

source="xwiki.log" AND ("Page not found" OR "script macro" OR "Groovy" OR "Python") AND (special characters in request)

📊 Metadata

CVE ID: CVE-2023-29522
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-74
Published: April 19, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29522, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)