9.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29512

GHSA ID

GHSA-hg5x-3w3x-7g96

EPSS Score

0.83504%

CWE

CWE-74

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29512

CVE-2023-29512: xwiki-platform-web-templates vulnerable to Eval Injection

Impact

Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm, and packagelist.vm. This page is installed by default.

Reproduction steps are described in https://jira.xwiki.org/browse/XWIKI-20267

Patches

The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11.

Workarounds

The issue can be fixed by applying this patch on imported.vm, importinline.vm, and packagelist.vm.

References

https://github.com/xwiki/xwiki-platform/commit/e4bbdc23fea0be4ef1921d1a58648028ce753344
https://jira.xwiki.org/browse/XWIKI-20267

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

9.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29512

GHSA ID

GHSA-hg5x-3w3x-7g96

EPSS Score

0.83504%

CWE

CWE-74

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 1.0B1, < 13.10.11	13.10.11
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 14.0-rc-1, < 14.4.8	14.4.8
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 14.5, < 14.10.1	14.10.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing output escaping in Velocity templates that process user-controlled input from XAR attachments. The patch adds $escapetool.xml() escaping to numerous variables that render: 1) Localization strings with dynamic keys, 2) Package metadata fields, 3) Attachment filenames, and 4) User-provided document names. These unescaped outputs in imported.vm, importinline.vm and packagelist.vm templates allowed injection of arbitrary code into the rendered HTML, which could then be interpreted as Velocity/Groovy code due to XWiki's template processing flow. The high confidence comes from direct correlation between patched locations and security advisory descriptions of injection vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny us*r wit* **it ri**ts on * p*** (*.*., it's own us*r p***), **n *x**ut* *r*itr*ry *roovy, Pyt*on or V*lo*ity *o** in XWiki l***in* to *ull ****ss to t** XWiki inst*ll*tion. T** root **us* is improp*r *s**pin* o* t** in*orm*tion lo****

Reasoning

T** vuln*r**ility st*ms *rom missin* output *s**pin* in V*lo*ity t*mpl*t*s t**t pro**ss us*r-*ontroll** input *rom X*R *tt***m*nts. T** p*t** ***s `$*s**p*tool.xml()` *s**pin* to num*rous v*ri**l*s t**t r*n**r: *) Lo**liz*tion strin*s wit* *yn*mi* k*

9.9

Basic Information

Concerned about an active attack path?

CVE-2023-29512: xwiki-platform-web-templates vulnerable to Eval Injection

Impact

Patches

Workarounds

References

For more information

9.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI