Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Between (and including) versions 13.1RC1 and 13.1, the reset password form reveals the email address of users just by giving their username. The problem has been patched on XWiki 13.2RC1. As a workaround, it is possible to manually modify the `resetpasswordinline.vm` to perform the changes made to mitigate the vulnerability.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4m4-pgp4-whgm
Patch, Third Party Advisory x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-18400
Scores
CVSS v3
5.3
EPSS
0.0009
EPSS Percentile
24.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-web
13.1 - 13.2Maven
xwiki/xwiki
13.1 (2 CPE variants)
Published
Jul 01, 2021
Tracked Since
Feb 18, 2026