CVE-2022-41927

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.7 XWiki Platform versions prior to 14.4.1 XWiki Platform versions prior to 14.5RC1

Description The XWiki Platform is susceptible to Cross-Site Request Forgery (CSRF) attacks, which may allow attackers to delete or rename tags without needing any confirmation. This issue can be exploited by using a simple request.

Recommendations For versions prior to 13.10.7, update to version 13.10.7 or later. For versions prior to 14.4.1, update to version 14.4.1 or later. For versions prior to 14.5RC1, update to version 14.5RC1 or later. As a temporary workaround, consider patching existing instances directly by editing the page Main.Tags and adding a check to validate the form token using the #if (!$services.csrf.isTokenValid($request.get('form token'))) condition, and return an error if the token is invalid.