CVE-2023-48293

XWiki Admin Tools Application CSRF with QueryOnXWiki allows arbitrary database queries

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other things, this allows modifying and deleting all data of the wiki. This could be both used to damage the wiki and to create an account with elevated privileges for the attacker, thus impacting the confidentiality, integrity and availability of the whole XWiki instance. A possible attack vector are comments on the wiki, by embedding an image with wiki syntax like `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]]`, all documents would be deleted from the database when an admin user views this comment. This has been patched in Admin Tools Application 4.5.1 by adding form token checks. Some workarounds are available. The patch can also be applied manually to the affected pages. Alternatively, if the query tool is not needed, by deleting the document `Admin.SQLToolsGroovy`, all database query tools can be deactivated.

XWiki Admin Tools Application proporciona herramientas para ayudar en la administración de XWiki. Antes de la versión 4.5.1, una vulnerabilidad de Cross-Site Request Forgery en la herramienta de consulta en XWiki permitía ejecutar consultas arbitrarias en la base de datos de la instalación de XWiki. Entre otras cosas, esto permite modificar y eliminar todos los datos de la wiki. Esto podría usarse tanto para dañar el wiki como para crear una cuenta con privilegios elevados para el atacante, impactando así la confidencialidad, integridad y disponibilidad de toda la instancia de XWiki. Un posible vector de ataque son los comentarios en la wiki, al incrustar una imagen con sintaxis de wiki como `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]]`, todos los documentos se eliminará de la base de datos cuando un usuario administrador vea este comentario. Esto se ha solucionado en la aplicación Admin Tools 4.5.1 añadiendo comprobaciones de tokens de formulario. Algunos workarounds están disponibles. El parche también se puede aplicar manualmente a las páginas afectadas. Alternativamente, si la herramienta de consulta no es necesaria, al eliminar el documento `Admin.SQLToolsGroovy`, se pueden desactivar todas las herramientas de consulta de la base de datos.

*Credits: N/A

CVSS Scores

NISTv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-11-14 CVE Reserved
2023-11-20 CVE Published
2023-11-30 EPSS Updated
2024-10-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46	2023-11-29
https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv	2023-11-29

URL	Date	SRC
https://jira.xwiki.org/browse/ADMINTOOL-92	2023-11-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				< 4.5.1 Search vendor "Xwiki" for product "Xwiki" and version " < 4.5.1"		-		Affected