High severityNVD Advisory· Published Mar 7, 2023· Updated Feb 25, 2025

Data leak through a XAR import XXE attack in xwiki-platform-xar-model

CVE-2023-27480

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch e3527b98fd manually.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-xar-modelMaven	>= 1.1-milestone-3, < 13.10.11	13.10.11
org.xwiki.platform:xwiki-platform-xar-modelMaven	>= 14.0, < 14.4.7	14.4.7
org.xwiki.platform:xwiki-platform-xar-modelMaven	>= 14.5, < 14.10-rc-1	14.10-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 1.1-milestone-3, < 13.10.11

Patches

e3527b98fdd8

XWIKI-20320: Disallow DOCTYPE in the XAR descriptor

https://github.com/xwiki/xwiki-platformVincent MassolNov 4, 2022via ghsa

commit

1 file changed · +2 −0

xwiki-platform-core/xwiki-platform-xar/xwiki-platform-xar-model/src/main/java/org/xwiki/xar/XarPackage.java+2 −0 modified

@@ -515,6 +515,8 @@ public void readDescriptor(InputStream stream) throws XarException, IOException
 
         DocumentBuilder dBuilder;
         try {
+            // Prevent XXE attack
+            dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             dBuilder = dbFactory.newDocumentBuilder();
         } catch (ParserConfigurationException e) {
             throw new XarException("Failed to create a new Document builder", e);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gx4f-976g-7g6vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-27480ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx4f-976g-7g6vghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20320ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000