CVE-2021-32732: Cross-Site Request Forgery (CSRF)
(updated )
It’s possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page.
References
- github.com/advisories/GHSA-vh5c-jqfg-mhrh
- github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf
- github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh
- jira.xwiki.org/browse/XWIKI-18384
- jira.xwiki.org/browse/XWIKI-18408
- nvd.nist.gov/vuln/detail/CVE-2021-32732
Detect and mitigate CVE-2021-32732 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →