Critical severityNVD Advisory· Published Apr 15, 2023· Updated Feb 6, 2025

org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability

CVE-2023-29209

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the macro parameters of the legacy notification activity macro. This macro is installed by default in XWiki. The vulnerability can be exploited via every wiki page that is editable including the user's profile, but also with just view rights using the HTMLConverter that is part of the CKEditor integration which is bundled with XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-legacy-notification-activitymacroMaven	>= 10.9, < 13.10.11	13.10.11
org.xwiki.platform:xwiki-platform-legacy-notification-activitymacroMaven	>= 14.0-rc-1, < 14.4.7	14.4.7
org.xwiki.platform:xwiki-platform-legacy-notification-activitymacroMaven	>= 14.5, < 14.10	14.10

Affected products

Xwiki/Xwiki Platformv5
Range: >= 10.9, < 13.10.11

Patches

943924908846

XWIKI-20258: Improve escaping in the Legacy ActivityMacro

https://github.com/xwiki/xwiki-platformMichael HamannOct 26, 2022via ghsa

commit

1 file changed · +11 −2

xwiki-platform-core/xwiki-platform-legacy/xwiki-platform-legacy-notifications/xwiki-platform-legacy-notification-activitymacro/src/main/resources/XWiki/Notifications/Code/Legacy/ActivityMacro.xml

+11 −2 modified

@@ -251,10 +251,19 @@
     <property>
       <code>{{velocity}}
 #set ($wikis = '')
-#if ($services.wiki.currentWikiId != $services.wiki.mainWikiId)
+#if ("$!xcontext.macro.params.wikis" != '')
+  #set ($wikis = $xcontext.macro.params.wikis)
+#elseif ($services.wiki.currentWikiId != $services.wiki.mainWikiId)
   #set ($wikis = $services.wiki.currentWikiId)
 #end
-{{notifications useUserPreferences="false" displayOwnEvents="true" count="$xcontext.macro.params.entries" #if("$!xcontext.macro.params.wikis" != '')wikis="$xcontext.macro.params.wikis"#{else}wikis="$wikis"#end #if("$!xcontext.macro.params.spaces" != '')spaces="$xcontext.macro.params.spaces"#end #if("$!xcontext.macro.params.authors" != '')users="$xcontext.macro.params.authors"#end #if("$!xcontext.macro.params.tags" != '')tags="$xcontext.macro.params.tags"#end #if("$!xcontext.macro.params.minor" != '')displayMinorEvents="$xcontext.macro.params.minor"#end #if("$!xcontext.macro.params.rss" != '')displayRSSLink="$xcontext.macro.params.rss"#end /}}
+{{notifications useUserPreferences="false" displayOwnEvents="true"
+        count="$services.rendering.escape($xcontext.macro.params.entries, 'xwiki/2.1')"
+        wikis="$services.rendering.escape($wikis, 'xwiki/2.1')"
+        #if("$!xcontext.macro.params.spaces" != '')spaces="$services.rendering.escape($xcontext.macro.params.spaces, 'xwiki/2.1')"#end
+        #if("$!xcontext.macro.params.authors" != '')users="$services.rendering.escape($xcontext.macro.params.authors, 'xwiki/2.1')"#end
+        #if("$!xcontext.macro.params.tags" != '')tags="$services.rendering.escape($xcontext.macro.params.tags, 'xwiki/2.1')"#end
+        #if("$!xcontext.macro.params.minor" != '')displayMinorEvents="$services.rendering.escape($xcontext.macro.params.minor, 'xwiki/2.1')"#end
+        #if("$!xcontext.macro.params.rss" != '')displayRSSLink="$services.rendering.escape($xcontext.macro.params.rss, 'xwiki/2.1')"#end /}}
 {{/velocity}}</code>
     </property>
     <property>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9pc2-x9qf-7j2qghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-29209ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/94392490884635c028199275db059a4f471e57bcghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-9pc2-x9qf-7j2qghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20258ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.015
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000