CVE-2023-22457

2023-01-0415:15:09

CWE-352

[email protected]

web.nvd.nist.gov

cve-2023-22457

ckeditor

integration

csrf

arbitrary code execution

patch

security vulnerability

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

8.9 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

82.2%

JSON

CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he CKEditor.HTMLConverter document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version.

Affected configurations

Vulners

NVD

Node

xwiki-contribapplication_ckeditorRange<1.64.3

CPENameOperatorVersion
xwiki:ckeditor_integrationxwiki ckeditor integrationlt1.64.3

CPE	Name	Operator	Version
xwiki:ckeditor_integration	xwiki ckeditor integration	lt	1.64.3

CNA Affected

[
  {
    "vendor": "xwiki-contrib",
    "product": "application-ckeditor",
    "versions": [
      {
        "version": "< 1.64.3",
        "status": "affected"
      }
    ]
  }
]