CVE-2021-32729

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 12.6.8 XWiki Platform versions prior to 12.10.4 XWiki Platform versions prior to 13.0

Description A vulnerability exists in the XWiki Platform where the script service method used to reset the authentication failures record can be executed by any user with Script rights, without requiring Programming rights. This allows an attacker with script rights to potentially perform a brute force attack by resetting the authentication failure record, effectively deactivating the mechanism meant to mitigate such attacks.

Recommendations For versions prior to 12.6.8, upgrade to version 12.6.8 or later. For versions prior to 12.10.4, upgrade to version 12.10.4 or later. For versions prior to 13.0, upgrade to version 13.0 or later. As a temporary workaround, consider restricting Script right access to trusted users to minimize the risk of exploitation. Monitor logs for signs of brute force attacks on authentication, as authentication failures are logged.