8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-48293

GHSA ID

GHSA-4f4c-rhjv-4wgv

EPSS Score

0.72275%

CWE

CWE-352

Published

11/20/2023

Updated

11/20/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-48293

CVE-2023-48293: Cross-Site Request Forgery with QueryOnXWiki allows arbitrary database queries

Impact

A CSRF vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other things, this allows modifying and deleting all data of the wiki. This could be both used to damage the wiki and to create an account with elevated privileges for the attacker, thus impacting the confidentiality, integrity and availability of the whole XWiki instance. A possible attack vector are comments on the wiki, by embedding an image with wiki syntax like [[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]], all documents would be deleted from the database when an admin user views this comment.

Patches

This has been patched in Admin Tools Application 4.5.1 by adding form token checks.

Workarounds

The patch can also be applied manually to the affected pages. Alternatively, if the query tool is not needed, by deleting the document Admin.SQLToolsGroovy, all database query tools can be deactivated.

References

https://jira.xwiki.org/browse/ADMINTOOL-92
https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-48293

GHSA ID

GHSA-4f4c-rhjv-4wgv

EPSS Score

0.72275%

CWE

CWE-352

Published

11/20/2023

Updated

11/20/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.contrib:xwiki-application-admintools	maven	< 4.5.1	4.5.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing CSRF protections in the query execution flow. The commit diff shows the patched version added a 'form_token' parameter to SQLTools.getForm and added CSRF validation checks in Query.xml/QueryOnXWiki.xml. The original getForm method (without the token) allowed form submissions to execute arbitrary database queries without CSRF validation. This function is directly responsible for rendering the vulnerable form interface, making it the root enabler of the CSRF vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *SR* vuln*r**ility in t** qu*ry on XWiki tool *llows *x**utin* *r*itr*ry **t***s* qu*ri*s on t** **t***s* o* t** XWiki inst*ll*tion. *mon* ot**r t*in*s, t*is *llows mo*i*yin* *n* **l*tin* *ll **t* o* t** wiki. T*is *oul* ** *ot* us** to

Reasoning

T** vuln*r**ility st*mm** *rom missin* *SR* prot**tions in t** qu*ry *x**ution *low. T** *ommit *i** s*ows t** p*t**** v*rsion ***** * '*orm_tok*n' p*r*m*t*r to `SQLTools.**t*orm` *n* ***** *SR* v*li**tion ****ks in `Qu*ry.xml`/`Qu*ryOnXWiki.xml`. T*

8.8

Basic Information

Concerned about an active attack path?

CVE-2023-48293: Cross-Site Request Forgery with QueryOnXWiki allows arbitrary database queries

Impact

Patches

Workarounds

References

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI