CVE-2023-48293

Name of the Vulnerable Software and Affected Versions XWiki Admin Tools Application versions prior to 4.5.1

Description A cross-site request forgery issue in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. This could be used to damage the wiki, create an account with elevated privileges for the attacker, and impact the confidentiality, integrity, and availability of the whole XWiki instance. A possible attack vector is through comments on the wiki by embedding an image with wiki syntax like [[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]], which could delete all documents from the database when an admin user views this comment.

Recommendations For versions prior to 4.5.1, update to Admin Tools Application 4.5.1, which includes a patch that adds form token checks to prevent the issue. As a temporary workaround, consider applying the patch manually to the affected pages. Alternatively, if the query tool is not needed, delete the document Admin.SQLToolsGroovy to deactivate all database query tools.