XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Between (and including) versions 13.1RC1 and 13.1, the reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. As a workaround, it is possible to manually modify the `resetpasswordinline.vm` to perform the changes made to mitigate the vulnerability.
References
Link | Resource |
---|---|
https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2 | Patch Third Party Advisory |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4m4-pgp4-whgm | Patch Third Party Advisory |
https://jira.xwiki.org/browse/XWIKI-18400 | Issue Tracking Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2021-07-01T19:05:14
Updated: 2021-07-01T19:05:13
Reserved: 2021-05-12T00:00:00
Link: CVE-2021-32731
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-07-01T19:15:07.703
Modified: 2022-10-25T15:41:23.360
Link: CVE-2021-32731
JSON object: View
Redhat Information
No data.
CWE