Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-jgrg-qvpp-9vwr

GitHub Security Advisory

XWiki Platform vulnerable to code injection from account through AWM view sheet

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Impact
Steps to reproduce:

1. As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content `{{groovy}}println("Hello " + "from Groovy!"){{/groovy}}`
1. Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save)
1. View the document

### Patches

The vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.3.

### Workarounds

There is no known workaround.

### References

https://jira.xwiki.org/browse/XWIKI-20423

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-appwithinminutes-ui
Affected versions: 7.4.4 (fixed in 14.10.3)

Related CVEs

CVE-2023-29527

Key Information

GHSA ID
GHSA-jgrg-qvpp-9vwr
Published
April 20, 2023 10:25 PM
Last Modified
April 20, 2023 10:25 PM
CVSS Score
9.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-appwithinminutes-ui
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 22, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.