[XWIKI-18408] ForgotUsername is not protected against CSRF - XWiki.org JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 12.10.4, 13.1-rc-1
Fix Version/s: 12.10.5, 13.2-rc-1
Component/s: Administration
Labels:
None

Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

It's possible to perform a ForgotUsername request without needing a CSRF token:

http://127.0.0.1:8080/xwiki/bin/view/XWiki/ForgotUsername?e=aaa%22bbb%27ccc%3Eddd%3Ceee (before XWiki 13.1)

http://127.0.0.1:8080/xwiki/bin/view/Main/WebHome?e=aaa%22bbb%27ccc%3Eddd%3Ceee&vm=forgotusername.vm&skin=default&xpage=xpart&language=en (since XWiki 13.1)

Attachments

Issue Links

is related to

XWIKI-18384 The "Forgot your username?" form offers too much information concerning user accounts

Closed

links to

Github security advisory

Activity

People

Assignee:: Simon Urli

Reporter:: Simon Urli

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Mar/21 10:14

Updated:: 04/Feb/22 15:55

Resolved:: 09/Mar/21 14:20