CVE intelligence and bounded remediation
CVE-2023-36468 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take CVE-2022-36100/GHSA-2g5c-228j-p52x as example - it is easily exploitable with just view rights and critical. When XWiki is upgraded from a version before the fix for it (e.g., 14.3) to a version including the fix (e.g., 14.4), the vulnerability can still be reproduced by adding `rev=1.1` to the URL used in the reproduction steps so remote code execution is possible even after upgrading. Therefore, this affects the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability also affects manually added script macros that contained security vulnerabilities that were later fixed by changing the script macro without deleting the versions with the security vulnerability from the history. This vulnerability doesn't affe…
- Severity
- Critical
- CVSS
- 9.9 (3.1)
- Published
- 2023-06-29
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-459
Affected products
- xwiki / xwiki
- xwiki / xwiki / 15.0
- xwiki / xwiki / 15.1
Matched remediation archetype
Command, code, expression, and template injection
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Trace untrusted values to process execution, interpreters, evaluators, template engines, dynamic imports, and administrative scripting features.
- Determine whether the affected path is reachable across each trust boundary and which service account or host privilege it inherits.
- Review configuration for optional execution features, unsafe compatibility modes, and shell invocation.
Remediate safely
- Replace string-built commands or evaluated code with fixed operations and structured argument APIs that do not invoke a shell.
- Use strict allowlists for operation identifiers and reject unexpected input before it reaches any interpreter.
- Update the affected component and add inert regression tests covering metacharacters, encoding variants, and alternate request paths.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.