XWiki Cross-Site Request Forgery (CSRF) Vulnerability - CVE-2022-41927
Reference:
CVE-2022-41927
Title:
XWiki Cross-Site Request Forgery (CSRF) Vulnerability
Overview:
XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7 14.4.1 and 14.5RC1. Workarounds: It39s possible to patch existing instances directly by editing the page Main.Tags and add this kind of check in the code for renaming and for deleting: if (services.csrf.isTokenValid(request.get(39form_token39))) set (discard response.sendError(401 quotWrong CSRF tokenquot)) end