SB2021070132 - Multiple vulnerabilities in XWiki platform
Published: July 1, 2021 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Open redirect (CVE-ID: CVE-2022-23618)
The vulnerability allows a remote attacker to redirect users to an untrusted site.
The vulnerability exists due to url redirection to an untrusted site in the xredirect parameter handling in XWiki platform when processing user-supplied redirect parameters. A remote attacker can supply a crafted xredirect parameter to redirect users to an untrusted site.
User interaction is required.
2) Incomplete List of Disallowed Inputs (CVE-ID: CVE-2021-43841)
The vulnerability allows a remote user to execute script in the victim's browser.
The vulnerability exists due to incomplete list of disallowed inputs in the SVG file upload handling when processing an uploaded SVG file through the download action. A remote user can upload a crafted SVG file to execute script in the victim's browser.
User interaction is required to execute the download action on the uploaded file, and the issue occurs with the default configuration.
3) Missing Authorization (CVE-ID: CVE-2022-23617)
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in page template handling when creating a new page from an existing page used as a template. A remote user can use a page as a template to copy its content into a new page to disclose sensitive information.
Exploitation requires edit rights.
4) Exposure of Sensitive Information Through Data Queries (CVE-ID: CVE-2021-32732)
The vulnerability allows a remote attacker to disclose sensitive information about user accounts.
The vulnerability exists due to exposure of sensitive information through data queries in the Forgot Username form when handling forged requests to the forgot username page. A remote attacker can send specially crafted requests with email addresses to disclose sensitive information about user accounts.
The issue can reveal whether an account exists for a given email address and which username or usernames are associated with that email address.
5) Information disclosure (CVE-ID: CVE-2021-32731)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the reset password form when submitting a username. A remote attacker can provide a username to obtain the associated email address to disclose sensitive information.
6) Cross-site request forgery (CVE-ID: CVE-2021-32730)
The vulnerability allows a remote user to modify user passwords.
The vulnerability exists due to cross-site request forgery (CSRF) in the password change form when handling password change requests. A remote user can forge a URL to reset the password of any user to modify user passwords.
User interaction is required, and the crafted URL must be accessed by an administrator.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp55-vvmf-63mv
- https://jira.xwiki.org/browse/XWIKI-10309
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9jq9-c2cv-pcrj
- https://jira.xwiki.org/browse/XWIKI-18368
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gf7x-2j2x-7f73
- https://jira.xwiki.org/browse/XWIKI-18430
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4m4-pgp4-whgm
- https://jira.xwiki.org/browse/XWIKI-18400
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v9j2-q4q5-cxh4
- https://github.com/xwiki/xwiki-platform/commit/0a36dbcc5421d450366580217a47cc44d32f7257