Login Sign Up

CVE-2023-48292

9.6 CRITICAL
Remote Code Execution CSRF

📋 TL;DR

This is a critical CSRF vulnerability in XWiki Admin Tools that allows attackers to execute arbitrary shell commands on the server by tricking administrators into visiting malicious URLs. The vulnerability affects XWiki installations with Admin Tools version 4.4 through 4.5.0, and successful exploitation can lead to complete compromise of the XWiki instance.

💻 Affected Systems

Products:
  • XWiki Admin Tools Application
Versions: 4.4 through 4.5.0
Operating Systems: All platforms running XWiki
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Admin Tools application installed and admin user viewing malicious content.

📦 What is this software?

Admin Tools by Xwiki

View all CVEs affecting Admin Tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via arbitrary shell command execution leading to data theft, system takeover, and lateral movement within the network.

🟠

Likely Case

Unauthorized shell command execution leading to data exfiltration, backdoor installation, or service disruption.

🟢

If Mitigated

Attack fails due to CSRF token validation or lack of admin privileges.

🌐 Internet-Facing: HIGH - Attack can be triggered via simple image tags in comments viewed by admins.
🏢 Internal Only: HIGH - Internal attackers can exploit via comments or crafted pages.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin to view malicious content; simple image tag injection in comments is sufficient.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.1

Vendor Advisory: https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-8jpr-ff92-hpf9

Restart Required: No

Instructions:

1. Upgrade Admin Tools to version 4.5.1 or later. 2. Alternatively, manually apply the CSRF token patch from commit 03815c505c9f37006a0c56495e862dc549a39da8.

🔧 Temporary Workarounds

Delete RunShellCommand document

all

Remove the vulnerable Admin.RunShellCommand document if shell command functionality is not needed.

Delete document Admin.RunShellCommand via XWiki interface

Apply manual patch

all

Manually add CSRF token validation to the RunShellCommand page.

Apply changes from commit 03815c505c9f37006a0c56495e862dc549a39da8 to Admin.RunShellCommand page

🧯 If You Can't Patch

  • Restrict admin access to trusted networks only
  • Implement web application firewall rules to block requests to /xwiki/bin/view/Admin/RunShellCommand

🔍 How to Verify

Check if Vulnerable:

Check Admin Tools version in XWiki administration panel; versions 4.4-4.5.0 are vulnerable.

Check Version:

Check XWiki Admin Tools version in XWiki administration interface

Verify Fix Applied:

Verify Admin Tools version is 4.5.1 or later, or test that RunShellCommand page requires CSRF token.

📡 Detection & Monitoring

Log Indicators:

  • Requests to /xwiki/bin/view/Admin/RunShellCommand without referrer or CSRF token
  • Unusual shell command execution logs

Network Indicators:

  • HTTP GET requests to RunShellCommand endpoint with command parameters

SIEM Query:

url.path:"/xwiki/bin/view/Admin/RunShellCommand" AND NOT csrf_token:*

📊 Metadata

CVE ID: CVE-2023-48292
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352
Published: November 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48292, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)