Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg0bTQtcGdwNC13aGdt
The reset password form reveal users email address
Impact
The reset password form reveals the email address of users just by giving their username.
Patches
The problem has been patched on XWiki 13.2RC1.
Workarounds
It's possible to manually modify the resetpasswordinline.vm to perform the changes made in https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2
References
https://jira.xwiki.org/browse/XWIKI-18400
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki
- Email us at Security ML
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg0bTQtcGdwNC13aGdt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00086
EPSS Percentile: 0.37524
Identifiers: GHSA-h4m4-pgp4-whgm, CVE-2021-32731
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4m4-pgp4-whgm
- https://nvd.nist.gov/vuln/detail/CVE-2021-32731
- https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2
- https://jira.xwiki.org/browse/XWIKI-18400
- https://github.com/advisories/GHSA-h4m4-pgp4-whgm
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-web
Affected Version Ranges: >= 13.1, < 13.2Fixed in: 13.2