Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-h4m4-pgp4-whgm

GitHub Security Advisory

The reset password form reveal users email address

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
The reset password form reveals the email address of users just by giving their username.

### Patches
The problem has been patched on XWiki 13.2RC1.

### Workarounds
It's possible to manually modify the `resetpasswordinline.vm` to perform the changes made in https://github.com/xwiki/xwiki-platform/commit/0cf716250b3645a5974c80d8336dcdf885749dff#diff-14a3132e3986b1f5606dd13d9d8a8bb8634bec9932123c5e49e9604cfd850fc2

### References
https://jira.xwiki.org/browse/XWIKI-18400

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki](https://jira.xiwki.org)
* Email us at [Security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-web
Affected versions: 13.1 (fixed in 13.2)

Related CVEs

CVE-2021-32731

Key Information

GHSA ID
GHSA-h4m4-pgp4-whgm
Published
July 2, 2021 7:19 PM
Last Modified
October 25, 2022 8:25 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-web
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.