PT-2022-10092 · Xwiki · Xwiki

Simon Urli

Published

2022-02-04

Updated

2022-02-10

CVE-2021-32732

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 12.10.5 XWiki versions prior to 13.2RC1

Description It is possible to determine if a user has an account in a wiki related to an email address and which username(s) is tied to that email by forging a request to the "Forgot username" page. This is due to the lack of a CSRF check on this page, making it easy to perform multiple requests.

Recommendations For versions prior to 12.10.5, update to version 12.10.5 or later. For versions prior to 13.2RC1, update to version 13.2RC1 or later. As a temporary workaround for versions below 13.x, edit the ForgotUsername page to use the provided code. For versions after 13.x, consider editing the forgotusername.vm file manually, but upgrading the version is recommended.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2021-32732

GHSA-VH5C-JQFG-MHRH

Affected Products

Xwiki

PT-2022-10092 · Xwiki · Xwiki

CVE-2021-32732

Weakness Enumeration

Related Identifiers

Affected Products

References · 9