CVE-2022-41927: 
Java vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in XWiki Platform's tag management functionality (CVE-2022-41927). The vulnerability affects versions greater than 3.2M2 and was patched in versions 14.5RC1, 14.4.1, and 13.10.7. The issue was discovered and disclosed in November 2022 (GitHub Advisory).

The vulnerability allows attackers to perform unauthorized deletion or renaming of tags through CSRF attacks without requiring any confirmation. The issue stems from missing CSRF token validation in the tag management functionality. The vulnerability has been assigned a CVSS v3.1 score of 7.4 (High severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N. This indicates that the attack vector is network-based, requires low complexity, needs no privileges, but does require user interaction (GitHub Advisory).

The vulnerability allows attackers to manipulate tags within the XWiki platform through CSRF attacks. An attacker could delete or rename tags without authorization, potentially disrupting content organization and classification within the wiki system. The CVSS metrics indicate high impact on data integrity but no direct impact on confidentiality or availability (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.5RC1, 14.4.1, and 13.10.7. For unpatched instances, a manual workaround is available by editing the page Main.Tags and adding CSRF token validation checks in the code for renaming and deleting operations. The specific code to add is: '#if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end' (GitHub Advisory).