Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-29515
CVE-2023-29515:
Java vulnerability analysis and mitigation
Overview
CVE-2023-29515 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered and disclosed in April 2023, allowing any user who can create a space to become an admin of that space through App Within Minutes (AWM). This vulnerability affects multiple versions of XWiki Platform, including versions up to 13.10.11, versions 14.0 to 14.4.8, and versions 14.5 to 14.10.1 (GitHub Advisory).
Technical details
The vulnerability exists in the App Within Minutes (AWM) functionality where users can gain elevated privileges. The admin right granted through this vulnerability implies script rights, which enables JavaScript injection capabilities. The vulnerability can be exploited by creating an app in AWM, and even if the button is disabled due to lack of global edit rights, attackers can bypass this by directly accessing '/xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true'. The vulnerability has been assigned a CVSS v3.1 base score of 7.7 (High) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N (GitHub Advisory).
Impact
The vulnerability allows unauthorized users to gain administrative privileges for specific spaces within XWiki, which includes script execution rights. This enables attackers to perform JavaScript injection and potentially execute malicious code. The elevated privileges could be used to create pages with persistent cross-site scripting (XSS) capabilities, among other security implications (XWIKI Issue).
Mitigation and workarounds
The vulnerability has been patched in XWiki versions 13.10.11, 14.4.8, 14.10.1, and 15.0 RC1. The fix prevents granting space admin rights if the user doesn't have script rights on the space where the app is created. For unpatched systems, administrators can apply temporary mitigation by patching the affected wiki documents, particularly AppWithinMinutes.LiveTableEditSheet, or by denying view access to AppWithinMinutes.LiveTableEditSheet. After applying the patch, administrators should review all users who created AWM apps to verify if they should retain their space admin rights, as the fix doesn't automatically revoke previously granted privileges (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management