CVE-2023-48293: 
Java vulnerability analysis and mitigation

CVE-2023-48293 is a cross-site request forgery (CSRF) vulnerability affecting the XWiki Admin Tools Application prior to version 4.5.1. The vulnerability was discovered and disclosed on November 20, 2023, impacting the query tool functionality within XWiki installations (GitHub Advisory, NVD).

The vulnerability allows execution of arbitrary database queries on the XWiki installation's database through a CSRF attack. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack can be triggered through embedded images in wiki comments using specific wiki syntax, such as [[image:path:/xwiki/bin/view/Admin/QueryOnXWiki?query=DELETE%20FROM%20xwikidoc]] (GitHub Advisory).

The vulnerability has severe implications for affected systems, potentially allowing attackers to modify and delete all wiki data. Additionally, attackers could create accounts with elevated privileges, compromising the confidentiality, integrity, and availability of the entire XWiki instance (GitHub Advisory).

The vulnerability has been patched in Admin Tools Application version 4.5.1 by implementing form token checks. For users unable to upgrade immediately, two workarounds are available: manually applying the patch to affected pages, or if the query tool isn't necessary, deactivating all database query tools by deleting the document 'Admin.SQLToolsGroovy' (GitHub Advisory).