Headline
CVE-2022-36095: [XWIKI-19550] Tags can be added and removed without CSRF token validation
XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the documentTags.vm
template in one’s filesystem, to apply the changes exposed there.
Steps to reproduce:
- Go to <server>/xwiki/bin/view/Main/?xpage=documentTags&xaction=add&ajax=true&tag=foo
- Go to <server>/xwiki/bin/view/Main/?xpage=documentTags&xaction=delete&ajax=true&tag=foo
Expected results:
- A CSRF token validation failure error is displayed (or some other more generic error).
Actual results:
- The tag is added to/deleted from the page.
Note that for adding tags, the CSRF token is actually included in the form but it is not validated on the server.
I have reproduced this issue on 2.6 (and a recent development version) but I think even older versions should be vulnerable.
Related news
### Impact It's possible to perform a CSRF attack for adding or removing tags on XWiki pages. ### Patches The problem has been patched in XWiki 13.10.5 and 14.3. ### Workarounds It's possible to fix the issue without upgrading by locally modifying the documentTags.vm template in your filesystem, to apply the changes exposed there: https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae. ### References https://jira.xwiki.org/browse/XWIKI-19550 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])