GHSA-76mp-659p-rw65

Source

https://github.com/advisories/GHSA-76mp-659p-rw65

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-76mp-659p-rw65/GHSA-76mp-659p-rw65.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-76mp-659p-rw65

Aliases

CVE-2021-32620

Published

2021-05-18T18:36:21Z

Modified

2023-11-08T04:05:54.627660Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

XWiki users registered with email verification can self re-activate their disabled accounts

Details

Impact

A user disabled on a wiki using email verification for registration can re-activate himself by using the activation link provided for his registration.

Patches

The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0.

Workarounds

It's possible to workaround the issue by resetting the validkey property of the disabled XWiki users. This can be done by editing the user profile with object editor.

References

https://jira.xwiki.org/browse/XWIKI-17942

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira * Email us at Security mailing-list

Database specific

{
    "nvd_published_at": "2021-05-28T21:15:00Z",
    "github_reviewed_at": "2021-05-18T16:36:02Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285",
        "CWE-863"
    ]
}

References

Affected packages

Maven / org.xwiki.commons:xwiki-commons-core

Package

Name: org.xwiki.commons:xwiki-commons-core; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.6

Fixed

11.10.13

Affected versions

11.*

11.6

11.6.1

11.7-rc-1

11.7

11.8-rc-1

11.8

11.8.1

11.9

11.10

11.10.1

11.10.2

11.10.3

11.10.4

11.10.5

11.10.6

11.10.7

11.10.8

11.10.10

11.10.11

11.10.12

Maven / org.xwiki.commons:xwiki-commons-core

Package

Name: org.xwiki.commons:xwiki-commons-core; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.0

Fixed

12.6.7

Affected versions

12.*

12.0

12.1-rc-1

12.1

12.2

12.2.1

12.3-rc-1

12.3

12.4-rc-1

12.4

12.5-rc-1

12.5

12.5.1

12.6

12.6.1

12.6.2

12.6.3

12.6.4

12.6.5

12.6.6

Maven / org.xwiki.commons:xwiki-commons-core

Package

Name: org.xwiki.commons:xwiki-commons-core; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.commons/xwiki-commons-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

12.10.0

Fixed

12.10.2

Affected versions

12.*

12.10

12.10.1