SB2021051825 - Multiple vulnerabilities in XWiki platform
Published: May 18, 2021 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Protection Mechanism Failure (CVE-ID: CVE-2021-32729)
The vulnerability allows a remote user to modify authentication failure records.
The vulnerability exists due to protection mechanism failure in the authentication script service method when handling requests to reset authentication failures. A remote privileged user can invoke the reset method to modify authentication failure records.
User interaction is required.
2) Improper access control (CVE-ID: CVE-2021-32621)
The vulnerability allows a remote user to execute script requiring privileges.
The vulnerability exists due to improper access control in gadget titles in the dashboard when editing gadget titles. A remote user can inject crafted script content to execute script requiring privileges.
The issue affects users without Script or Programming right.
3) Improper access control (CVE-ID: CVE-2022-23615)
The vulnerability allows a remote user to disclose sensitive information and modify data.
The vulnerability exists due to improper access control in document saving with programming rights when saving a document with the rights of the current user. A remote privileged user can save a document that will have the rights of the current user to disclose sensitive information and modify data.
User interaction is required, and exploitation is possible when the current user has programming right.
4) Improper access control (CVE-ID: CVE-2021-32620)
The vulnerability allows a remote user to reactivate a disabled account.
The vulnerability exists due to improper access control in the account activation mechanism when using the registration activation link after the account has been disabled. A remote user can use a previously issued activation link to reactivate a disabled account.
Only users registered with email verification are affected.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m738-3rc4-5xv3
- https://jira.xwiki.org/browse/XWIKI-18276
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc
- https://jira.xwiki.org/browse/XWIKI-17794
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r
- https://jira.xwiki.org/browse/XWIKI-5024
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-76mp-659p-rw65
- https://jira.xwiki.org/browse/XWIKI-17942