Login Sign Up

CVE-2023-29524

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated users without script or programming rights to execute arbitrary Groovy code on XWiki servers by adding malicious scheduler job objects to their user profiles. The code runs with the privileges of the Scheduler Application sheet page, potentially leading to server compromise. All XWiki installations below patched versions are affected.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: All versions below 14.10.3 and 15.0 RC1
Operating Systems: All platforms running XWiki
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access, but no special privileges beyond basic edit rights on user profile.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with remote code execution, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to data theft, privilege escalation, or service disruption.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, but still represents significant risk.

🌐 Internet-Facing: HIGH - Internet-facing XWiki instances are directly exploitable by authenticated users.
🏢 Internal Only: HIGH - Internal instances are vulnerable to any authenticated user, including low-privilege accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but follows documented steps. The advisory provides clear exploitation methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XWiki 14.10.3 or 15.0 RC1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fc42-5w56-qw7h

Restart Required: Yes

Instructions:

1. Backup your XWiki instance. 2. Upgrade to XWiki 14.10.3 or 15.0 RC1. 3. Restart the XWiki service. 4. Verify the patch is applied.

🧯 If You Can't Patch

  • Restrict user profile editing permissions to trusted administrators only.
  • Implement strict network segmentation and monitoring for XWiki instances.

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via admin interface or by examining installation files. Versions below 14.10.3 or 15.0 RC1 are vulnerable.

Check Version:

Check XWiki version in Administration → About section or examine xwiki-version.txt in installation directory.

Verify Fix Applied:

Verify XWiki version is 14.10.3 or higher, or 15.0 RC1 or higher. Test that adding XWiki.SchedulerJobClass objects no longer executes arbitrary code.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Groovy script execution in scheduler logs
  • Multiple failed authentication attempts followed by profile edits
  • Unexpected creation of XWiki.SchedulerJobClass objects

Network Indicators:

  • Unusual outbound connections from XWiki server
  • Large data transfers from XWiki instance

SIEM Query:

source="xwiki" AND (event="scheduler_execution" OR event="profile_edit") AND user!="admin"

📊 Metadata

CVE ID: CVE-2023-29524
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-74
Published: April 19, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29524, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)