Login Sign Up

CVE-2023-37914

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows any user with view access to the Invitation.WebHome page in XWiki Platform to execute arbitrary script macros, including Groovy and Python, leading to remote code execution. Attackers can gain unrestricted read/write access to all wiki contents. All XWiki instances with vulnerable versions are affected.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: All versions before 14.4.8, 15.2-rc-1, and 14.10.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Default XWiki installations with the Invitation application enabled are vulnerable. The vulnerability requires view access to Invitation.WebHome, which may be restricted in some configurations.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the XWiki instance: attackers can execute arbitrary code on the server, steal all data, modify content, install backdoors, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized users gaining administrative privileges, modifying wiki content, stealing sensitive information, and potentially disrupting operations.

🟢

If Mitigated

If proper access controls limit who can view Invitation.WebHome, impact is reduced to authorized users only, but they could still escalate privileges.

🌐 Internet-Facing: HIGH - Internet-facing XWiki instances are directly exposed to exploitation by any user who can access the vulnerable page.
🏢 Internal Only: HIGH - Internal instances are still vulnerable to insider threats or compromised accounts with view access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user authentication with view permissions to the vulnerable page. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.4.8, 15.2-rc-1, or 14.10.6

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf

Restart Required: Yes

Instructions:

1. Backup your XWiki instance. 2. Upgrade to XWiki 14.4.8, 15.2-rc-1, or 14.10.6. 3. Restart the XWiki service. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Manual patch application

all

Apply the security patches to Invitation.InvitationCommon and Invitation.InvitationConfig files if unable to upgrade.

Apply patches from https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591

🧯 If You Can't Patch

  • Restrict access to Invitation.WebHome page to only trusted administrators.
  • Disable the Invitation application entirely if not needed.

🔍 How to Verify

Check if Vulnerable:

Check if your XWiki version is below 14.4.8, 15.2-rc-1, or 14.10.6 and if the Invitation application is enabled.

Check Version:

Check the XWiki administration panel or view the page 'Main.WebHome' for version information.

Verify Fix Applied:

Verify the XWiki version is 14.4.8, 15.2-rc-1, 14.10.6 or higher, and test that script macros cannot be executed via Invitation.WebHome.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script macro executions in logs
  • Access to Invitation.WebHome by non-admin users
  • Groovy or Python macro execution from unexpected sources

Network Indicators:

  • HTTP requests to Invitation.WebHome with script parameters
  • Unusual outbound connections from XWiki server

SIEM Query:

Search for events where source_ip accesses '/xwiki/bin/view/Invitation/WebHome' AND (contains 'groovy' OR contains 'python' OR contains 'script')

📊 Metadata

CVE ID: CVE-2023-37914
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-94
Published: August 17, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37914, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)