CVE-2021-32731

Published: Jul 1, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Between (and including) versions 13.1RC1 and 13.1, the reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. As a workaround, it is possible to manually modify the `resetpasswordinline.vm` to perform the changes made to mitigate the vulnerability.

Affected (2)

Products: Xwiki: Xwiki

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	Version 13.1
Xwiki Xwiki	Version 13.1 rc1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4m4-pgp4-whgm

Source: security-advisories@github.com

PatchThird Party Advisory

https://jira.xwiki.org/browse/XWIKI-18400

Source: security-advisories@github.com

Issue TrackingPatchVendor Advisory

https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4m4-pgp4-whgm

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://jira.xwiki.org/browse/XWIKI-18400

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchVendor Advisory

Timeline

No history available yet.