XWiki Platform vulnerable to Cross-Site Request Forgery (CSRF) allowing to delete or rename tags
Description
XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: `` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end ``
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-tag-uiMaven | >= 3.2-milestone-2, < 13.10.7 | 13.10.7 |
org.xwiki.platform:xwiki-platform-tag-uiMaven | >= 14.0.0, < 14.4.1 | 14.4.1 |
Affected products
1- Range: >= 3.2-milestone-2, < 13.10.7
Patches
17fd4cda05901XWIKI-19748: Wrong error code in tags
1 file changed · +27 −19
xwiki-platform-core/xwiki-platform-tag/xwiki-platform-tag-ui/src/main/resources/Main/Tags.xml+27 −19 modified@@ -112,19 +112,23 @@ $xwiki.ssx.use('Main.Tags')## </form> {{/html}} #elseif ($do == 'renameTag') - ## - ## Rename tag - ## - #set ($renameTo = "$!{request.get('renameTo')}") - #set ($success = false) - #if ($renameTo != '') - #set ($success = $xwiki.tag.renameTag($tag, $renameTo)) - #end - #if ($success == true || $success == 'OK') - #set ($urlEscapedRenameTo = $escapetool.url($renameTo)) - $response.sendRedirect($doc.getURL('view', "do=viewTag&tag=${urlEscapedRenameTo}&renamedTag=${urlEscapedTag}")) + #if (!$services.csrf.isTokenValid($request.get('form_token'))) + #set ($discard = $response.sendError(401, "Wrong CSRF token")) #else - {{error}}$services.localization.render('xe.tag.rename.failure', ["//${wikiEscapedTag}//", "//${services.rendering.escape($renameTo, 'xwiki/2.1')}//"]){{/error}} + ## + ## Rename tag + ## + #set ($renameTo = "$!{request.get('renameTo')}") + #set ($success = false) + #if ($renameTo != '') + #set ($success = $xwiki.tag.renameTag($tag, $renameTo)) + #end + #if ($success == true || $success == 'OK') + #set ($urlEscapedRenameTo = $escapetool.url($renameTo)) + $response.sendRedirect($doc.getURL('view', "do=viewTag&tag=${urlEscapedRenameTo}&renamedTag=${urlEscapedTag}")) + #else + {{error}}$services.localization.render('xe.tag.rename.failure', ["//${wikiEscapedTag}//", "//${services.rendering.escape($renameTo, 'xwiki/2.1')}//"]){{/error}} + #end #end #elseif ($do == 'prepareDelete') ## @@ -142,14 +146,18 @@ $xwiki.ssx.use('Main.Tags')## </form> {{/html}} #elseif ($do == 'deleteTag') - ## - ## Delete tag - ## - #set ($success = $xwiki.tag.deleteTag($tag)) - #if ($success == true || $success == 'OK') - $response.sendRedirect($doc.getURL('view', "deletedTag=${urlEscapedTag}")) + #if (!$services.csrf.isTokenValid($request.get('form_token'))) + #set ($discard = $response.sendError(401, "Wrong CSRF token")) #else - {{error}}$services.localization.render('xe.tag.delete.failure', ["//${wikiEscapedTag}//"]){{/error}} + ## + ## Delete tag + ## + #set ($success = $xwiki.tag.deleteTag($tag)) + #if ($success == true || $success == 'OK') + $response.sendRedirect($doc.getURL('view', "deletedTag=${urlEscapedTag}")) + #else + {{error}}$services.localization.render('xe.tag.delete.failure', ["//${wikiEscapedTag}//"]){{/error}} + #end #end #else ##
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.