CVE-2021-32621

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-32621
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32621.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-32621
Aliases
Related
Published
2021-05-28T21:15:08.980Z
Modified
2025-12-03T02:11:22.934221Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-commons
Events
Introduced
722146367f589d701b0c0e26d9df6cf0ac07b55a
Fixed
eb0223af7c2f08c62fbe1b381b12b465d6f4f39e

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bb7068bd911f91e5511f3cfb03276c7ac81100bc

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java",
            "function": "getGadgets"
        },
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
        "id": "CVE-2021-32621-59ce8767",
        "digest": {
            "function_hash": "320410905558089094281692022948328430153",
            "length": 1005.0
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java"
        },
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
        "id": "CVE-2021-32621-796e8fae",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "253825524754872925471870056296194100151",
                "246231334577973883233300413877574428917",
                "266794873904673098447877299958028924968",
                "20136689313709188912260709072125715415",
                "24347539411103939997957456250745781424",
                "308423107115460905053613977459743676507",
                "132426658199235778085679212435919208817",
                "295803082873100392308989118164918124093",
                "290601319325029777080427844168705597837",
                "244691295763764658791769228348765481688",
                "110602821388625314495288269469377767865",
                "150834224865473128030359799419405465885",
                "144211676287051941019438726717970355434",
                "217814406885121996619973149776895151698",
                "134212944258462178064134777224384914862",
                "53353947765768316107488710153612568163",
                "321430418941069131196007472431619244262",
                "302647718985098805089167321151920783999",
                "36677443527597280127369445784096817817",
                "202620142384334519492030889394489091097",
                "15548933824433952531435999933224021074",
                "21442905281451565793770816888467751731",
                "292545816074350483186573137975517557845",
                "102167274986190022125414330938554412408",
                "33813606929943517251747600128368821029",
                "305031149979779869987921109516333835857",
                "100509612677401975700681450659544709267",
                "217029625547371224339014733429564770316",
                "183384359119283323032633264849246325111",
                "153103528490214334915846244854463816735",
                "65596983425684319649064981181962710540",
                "113191135265617563443761591617860483938",
                "92413034176314844970802352667786995969",
                "142515433425196326574614725368789994297",
                "16272837630852043056359228231602364839",
                "259342618098353589188741747391196199502",
                "55320252117280574202930803484819258689",
                "3304352288304965621828175823238381909",
                "164122255735781601640865997919345587809",
                "109324526046608358649789618361128211877",
                "146430294455283343440845945319109891609"
            ]
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/main/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSource.java",
            "function": "prepareGadgets"
        },
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
        "id": "CVE-2021-32621-81dd54ba",
        "digest": {
            "function_hash": "33375473102262479671447847022027611077",
            "length": 1258.0
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Function",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java",
            "function": "setup"
        },
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
        "id": "CVE-2021-32621-92bb4c18",
        "digest": {
            "function_hash": "283491026083551100588717491686267796562",
            "length": 2229.0
        },
        "signature_version": "v1"
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/main/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSource.java"
        },
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc",
        "id": "CVE-2021-32621-f85581f5",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "27546729016509600432046951463681857115",
                "327806149183543796428016526254439075994",
                "226457648369618218380735137449165852403",
                "283304107780773524003167056351693901210",
                "49572689214454380636041099751709499519",
                "34198036493635760434176264058853505546",
                "39023952895122358705721879189030109762",
                "193760471552211522497473047731003711897",
                "71275962790752498558554383750928586633",
                "251521822633896693155860326690800962829",
                "177359891142590041267097881812554527492",
                "57688733293763263633283076611567345769",
                "124479147727079482209377287857261616807",
                "114111363913194830210338655080586436575",
                "212927241456065567655087731127107111725",
                "29071307420221519467851764248679665711",
                "104065128676037727777524997613468551741",
                "107152879788811108262242940507594226780",
                "21919405188680667282878953298372722176",
                "232541998267856711667649019501085133366",
                "316532816246079767045661959948274575322",
                "205370094394958551912751111524421759028",
                "213641488172193250183708637741393415395",
                "307412470134478280260614531311113880948",
                "315073376998828374014972663005707912892",
                "157400678479481631308474154347157194994",
                "70398978414177221523848211065678943258",
                "98709189384888709894899428254250063725",
                "188581809417913851695671278888841949837",
                "124795088745617588091869729050530332460",
                "275880931230196279795631052040532255304",
                "100653908201686917345166980793193411258"
            ]
        },
        "signature_version": "v1"
    }
]