CVE-2023-29526 CRITICAL

CVE-2023-29526: Async and display macro allow displaying and interacting with any document in restricted mode

Vendor Xwiki
Product xwiki-platform
Weakness CWE-74
Published April 18, 2023
Last update February 5, 2025

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed providing a code injection vector in the context of the running server. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

April 18, 2023 CVE published
February 5, 2025 Record updated