XWiki Platform, a popular open-source wiki software platform, has been discovered to have a Cross-Site Request Forgery (CSRF) vulnerability (CVE-2022-41927) that can potentially allow malicious actors to rename or delete tags on XWiki pages without the need for any sort of confirmation. The vulnerability has been classified as CVE-2022-41927, and XWiki developers have swiftly patched the issue in XWiki versions 13.10.7, 14.4.1, and 14.5RC1. However, if you are still using a vulnerable version and unable to update the platform immediately, there are workarounds you can employ to protect your instance from this CSRF vulnerability.
Code Snippet
The issue can be resolved by manually adding a check in the code that verifies whether the CSRF token is valid or not. You can insert the following code snippet in the Main.Tags page, specifically in the code blocks for renaming and deleting tags in your XWiki instance:
#if (!$services.csrf.isTokenValid($request.get('form_token')))
#set ($discard = $response.sendError(401, "Wrong CSRF token"))
#end
`
Adding this check will ensure that only authorized requests can be made for renaming or deleting tags in XWiki, preventing CSRF attacks from unauthorized sources.
Original References
1. XWiki Security Advisory: https://www.xwiki.org/xwiki/bin/view/Security/XWIKI-19428
2. XWiki Downloads: https://www.xwiki.org/xwiki/bin/view/Main/Download
3. Patched XWiki Source Code: https://github.com/xwiki/xwiki-platform
Exploit Details
The exploit works by tricking a logged-in XWiki user who has the necessary privileges to access the Main.Tags page and perform unauthorized operations, such as renaming or deleting tags. By embedding malicious code or a link in a webpage, an attacker can send a forged request to the XWiki instance on behalf of the user without their knowledge. Since the vulnerable XWiki platform versions do not check for a valid CSRF token before processing these requests, unauthorized actions can be executed unintentionally when the user visits such a malicious page.
Conclusion
If your XWiki instance is affected by the CSRF vulnerability specified as CVE-2022-41927, it is highly recommended that you update to one of the patched XWiki versions, 13.10.7, 14.4.1, or 14.5RC1, as soon as possible. In the meantime or if updating is not feasible, applying the workaround by inserting the provided CSRF token validation code snippet in the Main.Tags page's renaming and deleting tags code blocks can vastly improve your instance's security against this CSRF exploit.
Timeline
Published on: 11/23/2022 19:15:00 UTC
Last modified on: 11/30/2022 16:22:00 UTC