### Impact
It's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users.

### Patches
The problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1.

### Workarounds
There's no easy workaround other than applying the upgrade.

### References

https://jira.xwiki.org/browse/XWIKI-18787

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwiki.org)
* Email us at [XWiki Security Mailing list](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-web

Affected versions: 13.5RC1 (fixed in 13.6RC1)

Maven org.xwiki.platform:xwiki-platform-web

Affected versions: 13.0.0 (fixed in 13.4.1)

Maven org.xwiki.platform:xwiki-platform-web

Affected versions: 0 (fixed in 12.10.9)

Related CVEs

CVE-2022-23619

Key Information

GHSA ID

GHSA-35fg-hjcr-j65f

Published

February 9, 2022 9:51 PM

Last Modified

February 9, 2022 9:51 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-web

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.