CVE-2023-46731

Name: CVE-2023-46731
Creator: NVD / NIST
Published: 2023-11-06T19:15:09.307+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 88.53%

Last modified Jun 17, 2026

CVE-2023-46731 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. EPSS estimates a 88.53% chance of exploitation in the next 30 days.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki instance. This vulnerability has been patched in XWiki 14.10.14, 15.6 RC1 and 15.5.1. Users are advised to upgrade. Users unablr to upgrade may apply the fix in commit `fec8e0e53f9` manually. Alternatively, to protect against attacks from unauthenticated users, view right for guests can be removed from this document (it is only needed for space and wiki admins).

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

88.53%

99.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Xwiki	Xwiki	< 14.10.14
Xwiki	Xwiki	>= 15.0, < 15.5.1

References

https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803aPatch
https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803a#diff-6271f9be501f30b2ba55459eb451aee3413d34171ba8198a77c865306d174e23Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-62pr-qqf7-hh89Exploit, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-21110Issue Tracking, Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803aPatch
https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803a#diff-6271f9be501f30b2ba55459eb451aee3413d34171ba8198a77c865306d174e23Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-62pr-qqf7-hh89Exploit, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-21110Issue Tracking, Vendor Advisory

Timeline

Published: Nov 6, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-46731?

How severe is CVE-2023-46731?

CVE-2023-46731 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 88.53% probability of exploitation in the next 30 days.

How do I fix CVE-2023-46731?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-46731?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST