CVE-2023-48292

Name of the Vulnerable Software and Affected Versions XWiki Admin Tools versions 4.4 through 4.5.0

Description The issue is related to insufficient authentication of executed requests in the XWiki Admin Tools application. This allows a remote attacker to execute arbitrary commands by tricking an admin into loading a URL with a shell command. For example, an attacker can leave a comment on a wiki page with an image that includes a URL like "/xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked". When an admin views the comment, the file "/tmp/attacked" will be created on the server. The output of the command is also vulnerable to XWiki syntax injection, which can be used to execute Groovy code in the context of the XWiki installation, compromising its integrity and confidentiality.

Recommendations For versions 4.4 through 4.5.0, update to version 4.5.1 or later, which includes a patch that adds a form token check to prevent this issue. As a temporary workaround, consider deleting the document Admin.RunShellCommand if the possibility to run shell commands is not needed. Alternatively, the patch can be applied manually to the affected wiki pages.