CVE-2021-32732
📋 TL;DR
This vulnerability in XWiki allows attackers to determine whether an email address has an associated user account and identify the corresponding username(s) through the Forgot Username page. The lack of CSRF protection makes automated enumeration attacks easy. All XWiki instances below versions 12.10.5 and 13.2RC1 are affected.
💻 Affected Systems
- XWiki
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Mass enumeration of valid user accounts and associated email addresses, leading to targeted phishing, credential stuffing, or social engineering attacks against identified users.
Likely Case
Information disclosure about user accounts and email associations, potentially enabling targeted attacks against specific users.
If Mitigated
Limited to no impact if CSRF protection is implemented and email verification is required for username recovery.
🎯 Exploit Status
Exploitation requires only HTTP requests to the Forgot Username endpoint with crafted parameters. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.10.5 and 13.2RC1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh
Restart Required: Yes
Instructions:
1. Upgrade XWiki to version 12.10.5 or 13.2RC1 or later. 2. Restart the XWiki application server. 3. Verify the fix by testing the Forgot Username functionality.
🔧 Temporary Workarounds
Manual Page Edit for XWiki <13.x
allEdit the ForgotUsername page to implement CSRF protection and email verification as per the provided code snippet.
Edit XWiki/ForgotUsername page with code from: https://github.com/xwiki/xwiki-platform/blob/69548c0320cbd772540cf4668743e69f879812cf/xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ForgotUsername.xml#L39-L123
Manual Template Edit for XWiki ≥13.x
allEdit the forgotusername.vm template file to add security controls.
Manually edit the forgotusername.vm file in your XWiki installation
🧯 If You Can't Patch
- Implement network-level restrictions to limit access to the Forgot Username page to trusted IP addresses only.
- Deploy a web application firewall (WAF) with rules to detect and block CSRF attacks and enumeration attempts.
🔍 How to Verify
Check if Vulnerable:
Test if submitting an email to the Forgot Username endpoint reveals whether an account exists without sending an email verification.Check Version:
Check XWiki version in administration panel or via xwiki.cfg configuration file.Verify Fix Applied:
After patching, verify that the Forgot Username process now requires email verification and has CSRF tokens implemented.📡 Detection & Monitoring
Log Indicators:
- Multiple rapid requests to /xwiki/bin/view/XWiki/ForgotUsername with different email parameters
- Unusual patterns of failed username recovery attempts
Network Indicators:
- High volume of POST requests to Forgot Username endpoint from single IPs
- Lack of CSRF tokens in username recovery requests
SIEM Query:
source="xwiki.log" AND (uri_path="/xwiki/bin/view/XWiki/ForgotUsername" AND http_method="POST") | stats count by src_ip🔗 References
- https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf
- https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh
- https://jira.xwiki.org/browse/XWIKI-18384
- https://jira.xwiki.org/browse/XWIKI-18408
- https://github.com/xwiki/xwiki-platform/commit/69548c0320cbd772540cf4668743e69f879812cf
- https://github.com/xwiki/xwiki-platform/commit/f0440dfcbba705e03f7565cd88893dde57ca3fa8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vh5c-jqfg-mhrh
- https://jira.xwiki.org/browse/XWIKI-18384
- https://jira.xwiki.org/browse/XWIKI-18408
