CVE-2023-22457
Published: 04 January 2023
Summary
CVE-2023-22457 is a critical-severity CSRF (CWE-352) vulnerability in Xwiki Ckeditor Integration. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a cross-site request forgery flaw (CWE-352) in the CKEditor Integration UI component for XWiki. Prior to version 1.64.3, the CKEditor.HTMLConverter document did not implement any CSRF protections, allowing an attacker to invoke macro execution under the privileges of the current authenticated user. The affected code is present both in the standalone CKEditor Integration application and in the version bundled with XWiki releases before 14.6 RC1.
An attacker who can cause a user possessing programming rights to issue a crafted GET request—via an embedded image tag in a comment, a redirect, or similar vector—can execute arbitrary macros. Successful exploitation yields remote code execution, privilege escalation, disclosure of private content, or denial of service against the wiki instance. The attack requires the victim to be logged in and to interact with attacker-controlled content, but needs no other special preconditions.
Advisories and the associated patches state that the issue is resolved in CKEditor Integration 1.64.3 and in the CKEditor integration shipped with XWiki 14.6 RC1; the referenced commits and GitHub Security Advisory GHSA-6mjp-2rm6-9g85 confirm that upgrading the integration is the only recommended mitigation, with no configuration workarounds available.
EPSS for the CVE rose from a low baseline to a peak of 0.0689 on 2025-12-11 before receding to the current value of 0.0113, indicating a later surge in exploitation interest after the original disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0368
Vulnerability details
CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged…
more
user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.
Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.
Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.
Detects anomalous request patterns consistent with cross-site request forgery.