VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-64wz-61e9-97h4

Essentials
Severities (33)
References (8)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-64wz-61e9-97h4
Aliases	CVE-2023-41046 GHSA-m5m2-h6h9-p2c8
Summary	Missing Authorization XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the former, the syntax of the document needs to be set the `xwiki/1.0` (this syntax does not need to be installed). In both cases, when adding the property to an object, the Velocity code is executed regardless of the rights of the author of the property (edit right is still required, though). In both cases, the code is executed with the correct context author so no privileged APIs can be accessed. However, Velocity still grants access to otherwise inaccessible data and APIs that could allow further privilege escalation. At least for "VelocityCode", this behavior is most likely very old but only since XWiki 7.2, script right is a separate right, before that version all users were allowed to execute Velocity and thus this was expected and not a security issue. This has been patched in XWiki 14.10.10 and 15.4 RC1. Users are advised to upgrade. There are no known workarounds.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-862	Missing Authorization
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2023-41046
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-m5m2-h6h9-p2c8
cvssv3.1	6.3	https://github.com/xwiki/xwiki-platform
generic_textual	MODERATE	https://github.com/xwiki/xwiki-platform
cvssv3.1	6.3	https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839
generic_textual	MODERATE	https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839
ssvc	Track	https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839
cvssv3.1	6.3	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8
cvssv3.1_qr	MODERATE	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8
generic_textual	MODERATE	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8
ssvc	Track	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8
cvssv3.1	6.3	https://jira.xwiki.org/browse/XWIKI-20847
generic_textual	MODERATE	https://jira.xwiki.org/browse/XWIKI-20847
ssvc	Track	https://jira.xwiki.org/browse/XWIKI-20847
cvssv3.1	6.3	https://jira.xwiki.org/browse/XWIKI-20848
generic_textual	MODERATE	https://jira.xwiki.org/browse/XWIKI-20848
ssvc	Track	https://jira.xwiki.org/browse/XWIKI-20848
cvssv3.1	6.3	https://nvd.nist.gov/vuln/detail/CVE-2023-41046
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-41046

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-41046
		https://github.com/xwiki/xwiki-platform
		https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839
		https://jira.xwiki.org/browse/XWIKI-20847
		https://jira.xwiki.org/browse/XWIKI-20848
CVE-2023-41046		https://nvd.nist.gov/vuln/detail/CVE-2023-41046
GHSA-m5m2-h6h9-p2c8		https://github.com/advisories/GHSA-m5m2-h6h9-p2c8
GHSA-m5m2-h6h9-p2c8		https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/xwiki/xwiki-platform

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T20:20:35Z/ Found at https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T20:20:35Z/ Found at https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://jira.xwiki.org/browse/XWIKI-20847

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T20:20:35Z/ Found at https://jira.xwiki.org/browse/XWIKI-20847

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://jira.xwiki.org/browse/XWIKI-20848

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-30T20:20:35Z/ Found at https://jira.xwiki.org/browse/XWIKI-20848

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-41046

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.26976
EPSS Score	0.00097
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:51:45.215862+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-41046.yml	38.0.0