Login Sign Up

CVE-2023-50732

8.3 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in XWiki Platform allows attackers to execute Velocity scripts without proper script rights through the document tree. This affects all XWiki installations running vulnerable versions, potentially enabling unauthorized code execution.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: Versions before 14.10.7 and 15.2RC1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All XWiki installations using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized script execution allowing privilege escalation, data manipulation, or denial of service.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires some knowledge of XWiki's Velocity scripting and document tree structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.10.7 or 15.2RC1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5f8-qf24-24cj

Restart Required: Yes

Instructions:

1. Backup your XWiki installation. 2. Upgrade to XWiki 14.10.7 or 15.2RC1. 3. Restart the XWiki service. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Restrict Document Tree Access

all

Limit access to document tree functionality to trusted users only.

Configure XWiki rights to restrict 'view' and 'edit' rights on document tree features

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can access the XWiki instance.
  • Disable or restrict Velocity scripting capabilities for non-administrative users.

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via admin interface or by examining the installation directory.

Check Version:

Check XWiki admin dashboard or examine xwiki.properties file for version information.

Verify Fix Applied:

Confirm version is 14.10.7 or 15.2RC1 or later, and test that Velocity scripts cannot be executed without proper rights.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Velocity script execution attempts
  • Failed authentication attempts followed by script execution

Network Indicators:

  • Unexpected requests to document tree endpoints with script parameters

SIEM Query:

source="xwiki" AND (event="script_execution" OR event="velocity_execution") AND user!="admin"

📊 Metadata

CVE ID: CVE-2023-50732
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CWE: CWE-863
Published: December 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50732, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)