{ "affected": [ { "ranges": [ { "events": [ { "introduced": "ab4dfeaeef13360eebcaa507bc652073aa89a427" }, { "fixed": "304f1c5906fe7ad6256b0792290ef89592c1f3b7" } ], "repo": "https://github.com/xwiki/xwiki-platform", "type": "GIT" } ] } ], "aliases": [ "GHSA-3hjg-cghv-22ww" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-74" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/29xxx/CVE-2023-29519.json" }, "details": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the \"property\" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "id": "CVE-2023-29519", "modified": "2026-04-01T23:09:05.933790770Z", "published": "2023-04-18T23:31:09.369Z", "references": [ { "type": "WEB", "url": "https://jira.xwiki.org/browse/XWIKI-20364" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/29xxx/CVE-2023-29519.json" }, { "type": "ADVISORY", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3hjg-cghv-22ww" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29519" }, { "type": "FIX", "url": "https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Code injection in org.xwiki.platform:xwiki-platform-attachment-ui" }