CVE-2021-32621

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-32621

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32621.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-32621

Aliases

GHSA-h353-hc43-95vc

Related

GHSA-h353-hc43-95vc

Published

2021-05-28T21:15:08Z

Modified

2025-10-14T18:25:15.178104Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

722146367f589d701b0c0e26d9df6cf0ac07b55a

Fixed

eb0223af7c2f08c62fbe1b381b12b465d6f4f39e

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

bb7068bd911f91e5511f3cfb03276c7ac81100bc

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2

xwiki-platform-7.4-milestone-1

xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1

xwiki-platform-8.0-milestone-2

xwiki-platform-8.1-milestone-1

xwiki-platform-8.1-milestone-2

xwiki-platform-8.2-milestone-1

xwiki-platform-8.2-milestone-2

xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
            "signature_type": "Function",
            "target": {
                "function": "getGadgets",
                "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java"
            },
            "deprecated": false,
            "digest": {
                "length": 1005.0,
                "function_hash": "320410905558089094281692022948328430153"
            },
            "id": "CVE-2021-32621-59ce8767"
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
            "signature_type": "Line",
            "target": {
                "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "253825524754872925471870056296194100151",
                    "246231334577973883233300413877574428917",
                    "266794873904673098447877299958028924968",
                    "20136689313709188912260709072125715415",
                    "24347539411103939997957456250745781424",
                    "308423107115460905053613977459743676507",
                    "132426658199235778085679212435919208817",
                    "295803082873100392308989118164918124093",
                    "290601319325029777080427844168705597837",
                    "244691295763764658791769228348765481688",
                    "110602821388625314495288269469377767865",
                    "150834224865473128030359799419405465885",
                    "144211676287051941019438726717970355434",
                    "217814406885121996619973149776895151698",
                    "134212944258462178064134777224384914862",
                    "53353947765768316107488710153612568163",
                    "321430418941069131196007472431619244262",
                    "302647718985098805089167321151920783999",
                    "36677443527597280127369445784096817817",
                    "202620142384334519492030889394489091097",
                    "15548933824433952531435999933224021074",
                    "21442905281451565793770816888467751731",
                    "292545816074350483186573137975517557845",
                    "102167274986190022125414330938554412408",
                    "33813606929943517251747600128368821029",
                    "305031149979779869987921109516333835857",
                    "100509612677401975700681450659544709267",
                    "217029625547371224339014733429564770316",
                    "183384359119283323032633264849246325111",
                    "153103528490214334915846244854463816735",
                    "65596983425684319649064981181962710540",
                    "113191135265617563443761591617860483938",
                    "92413034176314844970802352667786995969",
                    "142515433425196326574614725368789994297",
                    "16272837630852043056359228231602364839",
                    "259342618098353589188741747391196199502",
                    "55320252117280574202930803484819258689",
                    "3304352288304965621828175823238381909",
                    "164122255735781601640865997919345587809",
                    "109324526046608358649789618361128211877",
                    "146430294455283343440845945319109891609"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2021-32621-796e8fae"
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
            "signature_type": "Function",
            "target": {
                "function": "prepareGadgets",
                "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/main/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSource.java"
            },
            "deprecated": false,
            "digest": {
                "length": 1258.0,
                "function_hash": "33375473102262479671447847022027611077"
            },
            "id": "CVE-2021-32621-81dd54ba"
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
            "signature_type": "Function",
            "target": {
                "function": "setup",
                "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java"
            },
            "deprecated": false,
            "digest": {
                "length": 2229.0,
                "function_hash": "283491026083551100588717491686267796562"
            },
            "id": "CVE-2021-32621-92bb4c18"
        },
        {
            "signature_version": "v1",
            "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
            "signature_type": "Line",
            "target": {
                "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/main/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSource.java"
            },
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "27546729016509600432046951463681857115",
                    "327806149183543796428016526254439075994",
                    "226457648369618218380735137449165852403",
                    "283304107780773524003167056351693901210",
                    "49572689214454380636041099751709499519",
                    "34198036493635760434176264058853505546",
                    "39023952895122358705721879189030109762",
                    "193760471552211522497473047731003711897",
                    "71275962790752498558554383750928586633",
                    "251521822633896693155860326690800962829",
                    "177359891142590041267097881812554527492",
                    "57688733293763263633283076611567345769",
                    "124479147727079482209377287857261616807",
                    "114111363913194830210338655080586436575",
                    "212927241456065567655087731127107111725",
                    "29071307420221519467851764248679665711",
                    "104065128676037727777524997613468551741",
                    "107152879788811108262242940507594226780",
                    "21919405188680667282878953298372722176",
                    "232541998267856711667649019501085133366",
                    "316532816246079767045661959948274575322",
                    "205370094394958551912751111524421759028",
                    "213641488172193250183708637741393415395",
                    "307412470134478280260614531311113880948",
                    "315073376998828374014972663005707912892",
                    "157400678479481631308474154347157194994",
                    "70398978414177221523848211065678943258",
                    "98709189384888709894899428254250063725",
                    "188581809417913851695671278888841949837",
                    "124795088745617588091869729050530332460",
                    "275880931230196279795631052040532255304",
                    "100653908201686917345166980793193411258"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2021-32621-f85581f5"
        }
    ]
}