CVE-2021-32731

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Between (and including) versions 13.1RC1 and 13.1, the reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. As a workaround, it is possible to manually modify the resetpasswordinline.vm to perform the changes made to mitigate the vulnerability.

Published: Jul 1, 2021
Updated: May 9, 2024
CVE: CVE-2021-32731
GHSA: GHSA-h4m4-pgp4-whgm
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-200
CWE-668

Affected Software
References

Software	From	Fixed in
xwiki / xwiki	13.1	13.1.x
xwiki / xwiki	13.1-rc1	13.1-rc1.x
org.xwiki.platform / xwiki-platform-web	13.1	13.2

https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4m4-pgp4-whgm
https://jira.xwiki.org/browse/XWIKI-18400

Vulnerability Database

CVE-2021-32731

Deep Security Visibility Without the Complexity