CVE-2023-35150

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

Published: Jun 20, 2023

GitHub Security Advisory: GHSA-6mf5-36v9-3h2w Release Date: 2023-06-20 Update Date: 2023-06-20 Severity: Critical CVE-2023-35150 Base Score: 9.9 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L Package Information Package: org.xwiki.platform:xwiki-platform-invitation-ui Affected Versions: >= 2.4-m-2, Patched Versions: 14.4.8 Impact Any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload.

The RondoDox threat actor exploits unpatched instances of XWiki by weaponizing remote code execution vulnerabilities, enabling the deployment of malicious payloads that facilitate lateral movement, data exfiltration, and further propagation of the botnet. The RondoDox threat actor is characterized by a high degree of technical sophistication and operational agility, leveraging automated reconnaissance and exploitation frameworks to identify and compromise vulnerable XWiki servers globally.

Threat Analysis Report – StealC Malware Campaign via “Request Booking” Spam Email In this analysis, a Golang file is examined, dynamically extracting an Xworm payload.

In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Simon Humbert and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the XWiki free wiki software platform. An attacker could include script code in the request-URI that will then be evaluated when the link is rendered.

The RondoDox threat actor exploits unpatched instances of XWiki by weaponizing remote code execution vulnerabilities, enabling the deployment of malicious payloads that facilitate lateral movement, data exfiltration, and further propagation of the botnet. The RondoDox threat actor is characterized by a high degree of technical sophistication and operational agility, leveraging automated reconnaissance and exploitation frameworks to identify and compromise vulnerable XWiki servers globally.

The Cybersecurity and Infrastructure Security Agency (CISA) has taken decisive action by adding multiple actively exploited security vulnerabilities affecting the XWiki Platform, Broadcom’s VMware Aria Operations, and VMware Tools to its Known Exploited Vulnerabilities (KEV) catalog. The first vulnerability added to the KEV catalog, tracked as CVE-2023-35150, affects versions of the XWiki Platform, an open-source enterprise-level wiki system used for collaboration and content management.

CVE Id: CVE-2023-35150 Release Date: 2025-10-06 Update Date: 2025-05-23 Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8. Statement Red Hat Product Security has determined that this vulnerability does not affect any currently supported Red Hat product. This assessment may evolve based on further analysis and discovery. For more information about this vulnerability and the products it affects, please see the linked references. Affected Packages and Issued Red Hat Security Errata

Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language.

Threat Analysis Report – StealC Malware Campaign via “Request Booking” Spam Email In this analysis, a Golang file is examined, dynamically extracting an Xworm payload.