CVE-2023-29201

Name: CVE-2023-29201
Creator: NVD / NIST
Published: 2023-04-15T15:15:08.273+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9/10EPSS 1.15%

Last modified Jun 17, 2026

CVE-2023-29201 is a critical-severity vulnerability rated 9/10 on the CVSS scale. XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. EPSS estimates a 1.15% chance of exploitation in the next 30 days.

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode. There are no known workarounds apart from upgrading to a version including the fix.

Metrics

CVSS 3.1

9/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Probability

1.15%

62.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-79

Affected Software

Vendor	Product	Versions
Xwiki	Xwiki	>= 5.0, <= 14.5

References

https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2Patch
https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182Patch
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35jExploit, Patch, Vendor Advisory
https://jira.xwiki.org/browse/XCOMMONS-1680Exploit, Issue Tracking
https://jira.xwiki.org/browse/XCOMMONS-2426Exploit, Issue Tracking
https://jira.xwiki.org/browse/XWIKI-9118Exploit, Issue Tracking
https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2Patch
https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182Patch
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35jExploit, Patch, Vendor Advisory
https://jira.xwiki.org/browse/XCOMMONS-1680Exploit, Issue Tracking
https://jira.xwiki.org/browse/XCOMMONS-2426Exploit, Issue Tracking
https://jira.xwiki.org/browse/XWIKI-9118Exploit, Issue Tracking

Timeline

Published: Apr 15, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-29201?

How severe is CVE-2023-29201?

CVE-2023-29201 has a CVSS score of 9/10 (CRITICAL severity). The EPSS model estimates a 1.15% probability of exploitation in the next 30 days.

How do I fix CVE-2023-29201?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-29201?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST