Jonathan Villemaire-Krajden

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 13.1RC1 **Description** The issue allows an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset password feature, as it performs a save of the user profile with programming rights. **Recommendations** For versions prior to 13.1RC1, consider the following workarounds: 1. The Reset password feature can be entirely disabled by deleting the XWiki/ResetPassword page. 2. The script in XWiki/ResetPassword can also be modified or removed: an administrator can replace it with a simple email contact to ask an administrator to reset the password.