CVE-2023-48292
published 2023-11-20CVE-2023-48292: The XWiki Admin Tools Application provides tools to help the administration of XWiki. Starting in version 4.4 and prior to version 4.5.1, a cross site request…
PriorityP271high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
22.94%
97.5th percentile
The XWiki Admin Tools Application provides tools to help the administration of XWiki. Starting in version 4.4 and prior to version 4.5.1, a cross site request forgery vulnerability in the admin tool for executing shell commands on the server allows an attacker to execute arbitrary shell commands by tricking an admin into loading the URL with the shell command. A very simple possibility for an attack are comments. When the attacker can leave a comment on any page in the wiki it is sufficient to include an image with an URL like `/xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked` in the comment. When an admin views the comment, the file `/tmp/attacked` will be created on the server. The output of the command is also vulnerable to XWiki syntax injection which offers a simple way to execute Groovy in the context of the XWiki installation and thus an even easier way to compromise the integrity and confidentiality of the whole XWiki installation. This has been patched by adding a form token check in version 4.5.1 of the admin tools. Some workarounds are available. The patch can be applied manually to the affected wiki pages. Alternatively, the document `Admin.RunShellCommand` can also be deleted if the possibility to run shell commands isn't needed.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki-contrib | application-admintools | — | — |
| xwiki | admin_tools | >= 4.4 < 4.5.1 | 4.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on unauthenticated or CSRF-unprotected GET/POST requests to the Admin/RunShellCommand endpoint; the exploit sends requests with a `command=` query parameter to `/xwiki/bin/view/Admin/RunShellCommand`. ↗
- →Detect image tags or links in wiki comments pointing to `/xwiki/bin/view/Admin/RunShellCommand` with a `command=` parameter, which is the primary CSRF delivery vector described. ↗
- →Monitor HTTP responses from the RunShellCommand endpoint for the string `testtesttest1234`, which the exploit uses as a canary to confirm successful command execution. ↗
- →Flag XWiki syntax injection in command output; the vulnerability allows Groovy code execution via XWiki syntax injection in the command output, enabling full installation compromise. ↗
- →Check for the presence of the `Admin.RunShellCommand` document in XWiki installations; its existence indicates the vulnerable attack surface is present. ↗
- ·The vulnerability affects XWiki Admin Tools Application versions 4.4 through 4.5.0 only; version 4.5.1 adds a form token (CSRF) check and is not vulnerable. ↗
- ·The exploit requires an admin session to be active; the CSRF attack works by tricking an already-authenticated admin into triggering the endpoint (e.g., via a malicious image in a comment). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Run Shell Command allows Cross-Site Request Forgery
ghsa·2023-11-20
CVE-2023-48292 [CRITICAL] CWE-352 Run Shell Command allows Cross-Site Request Forgery
Run Shell Command allows Cross-Site Request Forgery
### Impact
A cross site request forgery vulnerability in the admin tool for executing shell commands on the server allows an attacker to execute arbitrary shell commands by tricking an admin into loading the URL with the shell command. A very simple possibility for an attack are comments. When the attacker can leave a comment on any page in the wiki it is sufficient to include an image with an URL like `/xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked` in the comment. When an admin views the comment, the file `/tmp/attacked` will be created on the server. The output of the command is also vulnerable to XWiki syntax injection which offers a simple way to execute Groovy in the context of the XWiki installation and thus a
OSV
Run Shell Command allows Cross-Site Request Forgery
osv·2023-11-20
CVE-2023-48292 [CRITICAL] Run Shell Command allows Cross-Site Request Forgery
Run Shell Command allows Cross-Site Request Forgery
### Impact
A cross site request forgery vulnerability in the admin tool for executing shell commands on the server allows an attacker to execute arbitrary shell commands by tricking an admin into loading the URL with the shell command. A very simple possibility for an attack are comments. When the attacker can leave a comment on any page in the wiki it is sufficient to include an image with an URL like `/xwiki/bin/view/Admin/RunShellCommand?command=touch%20/tmp/attacked` in the comment. When an admin views the comment, the file `/tmp/attacked` will be created on the server. The output of the command is also vulnerable to XWiki syntax injection which offers a simple way to execute Groovy in the context of the XWiki installation and thus a
No detection rules found.
No writeups or analysis indexed.
https://github.com/xwiki-contrib/application-admintools/commit/03815c505c9f37006a0c56495e862dc549a39da8https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-8jpr-ff92-hpf9https://jira.xwiki.org/browse/ADMINTOOL-91https://github.com/xwiki-contrib/application-admintools/commit/03815c505c9f37006a0c56495e862dc549a39da8https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-8jpr-ff92-hpf9https://jira.xwiki.org/browse/ADMINTOOL-91
2023-11-20
Published