Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY5ajItcTRxNS1jeGg0
No CSRF protection on the password change form
Impact
It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki.
Patches
The problem has been patched in XWiki 12.10.5, 13.2RC1.
Workarounds
It's possible to apply the patch manually by modifying the register_macros.vm template like in https://github.com/xwiki/xwiki-platform/commit/0a36dbcc5421d450366580217a47cc44d32f7257.
References
https://jira.xwiki.org/browse/XWIKI-18315
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki
- Email us at security ML
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXY5ajItcTRxNS1jeGg0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-v9j2-q4q5-cxh4, CVE-2021-32730
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v9j2-q4q5-cxh4
- https://nvd.nist.gov/vuln/detail/CVE-2021-32730
- https://github.com/xwiki/xwiki-platform/commit/0a36dbcc5421d450366580217a47cc44d32f7257
- https://jira.xwiki.org/browse/XWIKI-18315
- https://github.com/advisories/GHSA-v9j2-q4q5-cxh4
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-administration-ui
Affected Version Ranges: >= 13.0, < 13.2, < 12.10.5Fixed in: 13.2, 12.10.5