cve-2023-48293
Vulnerability from cvelistv5
Published
2023-11-20 18:14
Modified
2024-10-11 15:23
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other things, this allows modifying and deleting all data of the wiki. This could be both used to damage the wiki and to create an account with elevated privileges for the attacker, thus impacting the confidentiality, integrity and availability of the whole XWiki instance. A possible attack vector are comments on the wiki, by embedding an image with wiki syntax like `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]]`, all documents would be deleted from the database when an admin user views this comment. This has been patched in Admin Tools Application 4.5.1 by adding form token checks. Some workarounds are available. The patch can also be applied manually to the affected pages. Alternatively, if the query tool is not needed, by deleting the document `Admin.SQLToolsGroovy`, all database query tools can be deactivated.
References
security-advisories@github.comhttps://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46Patch
security-advisories@github.comhttps://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgvPatch, Vendor Advisory
security-advisories@github.comhttps://jira.xwiki.org/browse/ADMINTOOL-92Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgvPatch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://jira.xwiki.org/browse/ADMINTOOL-92Vendor Advisory
Impacted products
Vendor Product Version
xwiki-contrib application-admintools Version: < 4.5.1
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T21:23:39.486Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv",
               },
               {
                  name: "https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46",
               },
               {
                  name: "https://jira.xwiki.org/browse/ADMINTOOL-92",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://jira.xwiki.org/browse/ADMINTOOL-92",
               },
            ],
            title: "CVE Program Container",
         },
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2023-48293",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2023-12-19T20:11:10.452417Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-10-11T15:23:39.463Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "application-admintools",
               vendor: "xwiki-contrib",
               versions: [
                  {
                     status: "affected",
                     version: "< 4.5.1",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other things, this allows modifying and deleting all data of the wiki. This could be both used to damage the wiki and to create an account with elevated privileges for the attacker, thus impacting the confidentiality, integrity and availability of the whole XWiki instance. A possible attack vector are comments on the wiki, by embedding an image with wiki syntax like `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]]`, all documents would be deleted from the database when an admin user views this comment. This has been patched in Admin Tools Application 4.5.1 by adding form token checks. Some workarounds are available. The patch can also be applied manually to the affected pages. Alternatively, if the query tool is not needed, by deleting the document `Admin.SQLToolsGroovy`, all database query tools can be deactivated.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 8.8,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-352",
                     description: "CWE-352: Cross-Site Request Forgery (CSRF)",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-11-20T18:14:08.724Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv",
            },
            {
               name: "https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46",
            },
            {
               name: "https://jira.xwiki.org/browse/ADMINTOOL-92",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://jira.xwiki.org/browse/ADMINTOOL-92",
            },
         ],
         source: {
            advisory: "GHSA-4f4c-rhjv-4wgv",
            discovery: "UNKNOWN",
         },
         title: "XWiki Admin Tools Application CSRF with QueryOnXWiki allows arbitrary database queries",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2023-48293",
      datePublished: "2023-11-20T18:14:08.724Z",
      dateReserved: "2023-11-14T17:41:15.570Z",
      dateUpdated: "2024-10-11T15:23:39.463Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2023-48293\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-11-20T19:15:08.870\",\"lastModified\":\"2024-11-21T08:31:25.337\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other things, this allows modifying and deleting all data of the wiki. This could be both used to damage the wiki and to create an account with elevated privileges for the attacker, thus impacting the confidentiality, integrity and availability of the whole XWiki instance. A possible attack vector are comments on the wiki, by embedding an image with wiki syntax like `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]]`, all documents would be deleted from the database when an admin user views this comment. This has been patched in Admin Tools Application 4.5.1 by adding form token checks. Some workarounds are available. The patch can also be applied manually to the affected pages. Alternatively, if the query tool is not needed, by deleting the document `Admin.SQLToolsGroovy`, all database query tools can be deactivated.\"},{\"lang\":\"es\",\"value\":\"XWiki Admin Tools Application proporciona herramientas para ayudar en la administración de XWiki. Antes de la versión 4.5.1, una vulnerabilidad de Cross-Site Request Forgery en la herramienta de consulta en XWiki permitía ejecutar consultas arbitrarias en la base de datos de la instalación de XWiki. Entre otras cosas, esto permite modificar y eliminar todos los datos de la wiki. Esto podría usarse tanto para dañar el wiki como para crear una cuenta con privilegios elevados para el atacante, impactando así la confidencialidad, integridad y disponibilidad de toda la instancia de XWiki. Un posible vector de ataque son los comentarios en la wiki, al incrustar una imagen con sintaxis de wiki como `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]]`, todos los documentos se eliminará de la base de datos cuando un usuario administrador vea este comentario. Esto se ha solucionado en la aplicación Admin Tools 4.5.1 añadiendo comprobaciones de tokens de formulario. Algunos workarounds están disponibles. El parche también se puede aplicar manualmente a las páginas afectadas. Alternativamente, si la herramienta de consulta no es necesaria, al eliminar el documento `Admin.SQLToolsGroovy`, se pueden desactivar todas las herramientas de consulta de la base de datos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.1\",\"matchCriteriaId\":\"94575ED9-1677-4701-8C80-6E435C9B1850\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/ADMINTOOL-92\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/ADMINTOOL-92\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"cna\": {\"title\": \"XWiki Admin Tools Application CSRF with QueryOnXWiki allows arbitrary database queries\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-352\", \"lang\": \"en\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv\"}, {\"name\": \"https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46\"}, {\"name\": \"https://jira.xwiki.org/browse/ADMINTOOL-92\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://jira.xwiki.org/browse/ADMINTOOL-92\"}], \"affected\": [{\"vendor\": \"xwiki-contrib\", \"product\": \"application-admintools\", \"versions\": [{\"version\": \"< 4.5.1\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-11-20T18:14:08.724Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other things, this allows modifying and deleting all data of the wiki. This could be both used to damage the wiki and to create an account with elevated privileges for the attacker, thus impacting the confidentiality, integrity and availability of the whole XWiki instance. A possible attack vector are comments on the wiki, by embedding an image with wiki syntax like `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]]`, all documents would be deleted from the database when an admin user views this comment. This has been patched in Admin Tools Application 4.5.1 by adding form token checks. Some workarounds are available. The patch can also be applied manually to the affected pages. Alternatively, if the query tool is not needed, by deleting the document `Admin.SQLToolsGroovy`, all database query tools can be deactivated.\"}], \"source\": {\"advisory\": \"GHSA-4f4c-rhjv-4wgv\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T21:23:39.486Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv\"}, {\"name\": \"https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46\"}, {\"name\": \"https://jira.xwiki.org/browse/ADMINTOOL-92\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://jira.xwiki.org/browse/ADMINTOOL-92\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-48293\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2023-12-19T20:11:10.452417Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-11T15:23:34.832Z\"}}]}",
         cveMetadata: "{\"cveId\": \"CVE-2023-48293\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2023-11-14T17:41:15.570Z\", \"datePublished\": \"2023-11-20T18:14:08.724Z\", \"dateUpdated\": \"2024-10-11T15:23:39.463Z\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.