XWiki Admin Tools Application CSRF with QueryOnXWiki allows arbitrary database queries
CVE-2023-48293
8.8HIGH
Summary
The XWiki Admin Tools Application has a cross-site request forgery vulnerability allowing an attacker to execute arbitrary queries on the XWiki database. This can lead to unauthorized modification or deletion of wiki content, jeopardizing the confidentiality, integrity, and availability of the entire XWiki instance. Attackers can exploit this vulnerability via comments that include specially crafted wiki syntax. It is recommended to update to version 4.5.1, where this issue has been addressed through the implementation of form token checks. Additional workarounds are available for users unable to upgrade immediately.
Affected Version(s)
application-admintools < 4.5.1
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved