CVE-2021-32620
published 2021-05-28CVE-2021-32620: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a…
PriorityP350high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.13%
62.4th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-activate themself by using the activation link provided for his registration. The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0. It is possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 11.6 < 11.10.13 | 11.10.13 |
| xwiki | xwiki | >= 12.0 < 12.6.7 | 12.6.7 |
| xwiki | xwiki | >= 12.10.3 < 13.0 | 13.0 |
| xwiki | xwiki | >= 12.7 < 12.10.2 | 12.10.2 |
| xwiki | xwiki-platform | < 11.10.13 | 11.10.13 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
XWiki users registered with email verification can self re-activate their disabled accounts
osv·2021-05-18
CVE-2021-32620 [HIGH] XWiki users registered with email verification can self re-activate their disabled accounts
XWiki users registered with email verification can self re-activate their disabled accounts
### Impact
A user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration.
### Patches
The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0.
### Workarounds
It's possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor.
### References
https://jira.xwiki.org/browse/XWIKI-17942
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](http://jira.xwiki.org)
* Email us at [Security mailing-list](mailto:security@x
GHSA
XWiki users registered with email verification can self re-activate their disabled accounts
ghsa·2021-05-18
CVE-2021-32620 [HIGH] CWE-285 XWiki users registered with email verification can self re-activate their disabled accounts
XWiki users registered with email verification can self re-activate their disabled accounts
### Impact
A user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration.
### Patches
The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0.
### Workarounds
It's possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor.
### References
https://jira.xwiki.org/browse/XWIKI-17942
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](http://jira.xwiki.org)
* Email us at [Security mailing-list](mailto:security@x
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/f9a677408ffb06f309be46ef9d8df1915d9099a4https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-76mp-659p-rw65https://jira.xwiki.org/browse/XWIKI-17942https://github.com/xwiki/xwiki-platform/commit/f9a677408ffb06f309be46ef9d8df1915d9099a4https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-76mp-659p-rw65https://jira.xwiki.org/browse/XWIKI-17942
2021-05-28
Published