Main Vulnerability Database Vulnerabilities #VU130037

Cross-site request forgery in XWiki platform - CVE-2021-32730

Published: July 1, 2021 / Updated: May 5, 2026

Vulnerability identifier: #VU130037

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-32730

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to modify user passwords.

The vulnerability exists due to cross-site request forgery (CSRF) in the password change form when handling password change requests. A remote user can forge a URL to reset the password of any user to modify user passwords.

User interaction is required, and the crafted URL must be accessed by an administrator.

Remediation

Install security update from vendor's website.

External links

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v9j2-q4q5-cxh4
https://github.com/xwiki/xwiki-platform/commit/0a36dbcc5421d450366580217a47cc44d32f7257

Cross-site request forgery in XWiki platform - CVE-2021-32730

Description

Remediation

External links

Please verify you're human