Skip to content

Cross-Site Request Forgery (CSRF) allowing to delete or rename tags

High
surli published GHSA-mq7h-5574-hw9f Nov 21, 2022

Package

maven org.xwiki.platform:xwiki-platform-tag-ui (Maven)

Affected versions

> 3.2M2

Patched versions

14.5RC1, 14.4.1, 13.10.7

Description

Impact

It's possible with a simple request to perform deletion or renaming of tags without needing any confirmation, by using a CSRF attack.

Patches

The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1.

Workarounds

It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting:

#if (!$services.csrf.isTokenValid($request.get('form_token')))
    #set ($discard = $response.sendError(401, "Wrong CSRF token"))
#end

See the commit with the fix for more information about patching the page: 7fd4cda

References

For more information

If you have any questions or comments about this advisory:

Severity

High
7.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

CVE ID

CVE-2022-41927

Weaknesses