Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 14.4.1, 13.10.7, 14.5
Affects Version/s: 3.2 M2
Component/s: Tag
Labels:

Development Priority:
Medium
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mq7h-5574-hw9f
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

1. Tag a page with "hello" and "world"
2. Go to <server>/xwiki/bin/view/Main/Tags?do=deleteTag&tag=hello
3. Go to <server>/xwiki/bin/view/Main/Tags?do=renameTag&tag=world&renameTo=bye

Expected result:

No tags are deleted or renamed, CSRF errors are displayed in both cases.

Actual result:

Both actions are executed, the tag "hello" has been deleted and "world" has been renamed to "bye".

This demonstrates a CSRF attack, the two URLs could also be called by embedding images with the respective URLs into the content of a page (or another website) and then getting an admin user to visit this page. While both the form for deleting and renaming tags contain the CSRF token, there is no code for verifying the token.

Attachments

Activity

People

Assignee:: Simon Urli

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/May/22 11:06

Updated:: 21/Nov/22 10:39

Resolved:: 02/Jun/22 14:43

Date of First Response:: 23/May/22 10:07 AM