Cross-site request forgery in XWiki platform - CVE-2023-46242
Published: November 7, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129926
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2023-46242
CWE-ID: CWE-352
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote attacker to execute content with the rights of the targeted user.
The vulnerability exists due to cross-site request forgery (CSRF) in the edit action when handling crafted edit URLs. A remote attacker can trick a user into following a crafted URL to execute content with the rights of the targeted user.
User interaction is required, and exploitation can lead to code execution if the targeted user has programming rights.
How to mitigate CVE-2023-46242
Install security update from vendor's website.