CVE-2023-22457

Name of the Vulnerable Software and Affected Versions CKEditor Integration UI versions prior to 1.64.3 XWiki Platform versions prior to 14.6 RC1

Description The issue is related to insufficient authentication checks for executed requests in the CKEditor integration interface of the XWiki platform. This allows an attacker to execute a Cross-Site Request Forgery (CSRF) attack, potentially leading to arbitrary remote code execution. If a privileged user with programming rights is tricked into executing a GET request to the CKEditor.HTMLConverter document with certain parameters, the attacker could gain rights, access private information, or impact the availability of the wiki.

Recommendations For CKEditor Integration UI versions prior to 1.64.3, upgrade to version 1.64.3 or later. For XWiki Platform versions prior to 14.6 RC1, upgrade to version 14.6 RC1 or later. As a temporary workaround, consider restricting access to the CKEditor.HTMLConverter document to minimize the risk of exploitation.