XWiki Admin Tools Application Run Shell Command allows CSRF RCE attacks
CVE-2023-48292

8.8HIGH

Key Information:

Vendor
XWiki
Status
application-admintools
Vendor
CVE Published:
20 November 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The XWiki Admin Tools Application has a cross-site request forgery vulnerability, enabling attackers to execute arbitrary shell commands on the server. This is achieved by causing an admin user to load a malicious URL embedded in comments. When the harmful comment is viewed, it can result in the unintended execution of commands, compromising both the integrity and confidentiality of the XWiki installation. A patch for this issue has been released in version 4.5.1, which incorporates a form token check to mitigate the risk. As a precaution, admins are advised to either apply the patch or remove the vulnerability-prone command execution functionality.

Affected Version(s)

application-admintools >= 4.4, < 4.5.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-48292
Created by Mehran-Seifalinia

References

https://github.com/xwiki-contrib/application-admintools/s...
x_refsource_CONFIRM
https://github.com/xwiki-contrib/application-admintools/c...
x_refsource_MISC
https://jira.xwiki.org/browse/ADMINTOOL-91
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.