org.xwiki.contrib:application-ckeditor-ui vulnerable to Remote Code Execution via Cross-Site Request Forgery
CVE-2023-22457

9.1CRITICAL

Key Information:

Vendor

Xwiki-contrib

Status
Application-ckeditor
Vendor
CVE Published:
4 January 2023

What is CVE-2023-22457?

The CKEditor Integration for XWiki was found to lack adequate protection against Cross-Site Request Forgery (CSRF). This vulnerability could allow an attacker to execute macros with the privileges of a current user if they deceive a privileged user with programming rights into making a malicious GET request. By embedding certain parameters into an image URL or through redirection, the attacker could gain unauthorized access to sensitive information, manipulate the wiki content, or disrupt service availability. The issue has been addressed in CKEditor Integration version 1.64.3, and users are advised to upgrade to this version or later to mitigate the risk.

Affected Version(s)

application-ckeditor < 1.64.3

References

https://github.com/xwiki-contrib/application-ckeditor/sec...
x_refsource_CONFIRM
https://github.com/xwiki-contrib/application-ckeditor/com...
x_refsource_MISC
https://jira.xwiki.org/browse/CKEDITOR-475
x_refsource_MISC

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.