Advisories for Maven/Org.xwiki.platform/Xwiki-Platform-Security-Authentication-Default package

It was possible to inject some code using the URL of authenticate endpoints, e.g. https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword

We discovered that when the reset a forgotten password feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and next versions.