Users registered with email verification can self re-activate their disabled accounts
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-activate themself by using the activation link provided for his registration. The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0. It is possible to workaround the issue by resetting the validkey property of the disabled XWiki users. This can be done by editing the user profile with object editor.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.commons:xwiki-commons-coreMaven | >= 11.6, < 11.10.13 | 11.10.13 |
org.xwiki.commons:xwiki-commons-coreMaven | >= 12.0, < 12.6.7 | 12.6.7 |
org.xwiki.commons:xwiki-commons-coreMaven | >= 12.10.0, < 12.10.2 | 12.10.2 |
Affected products
1- Range: < 11.10.13
Patches
1f9a677408ffbXWIKI-17942: Email validation check is not properly reset
2 files changed · +7 −1
xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/XWiki.java+5 −1 modified@@ -3857,10 +3857,14 @@ public int validateUser(boolean withConfirmEmail, XWikiContext context) throws X // Compare the two keys if ((!storedKey.equals("") && (storedKey.equals(validationKey)))) { + // Ensure to remove the validation key value, so it cannot be used afterwards to enable back + // a disabled user. + userObject.setStringValue("validkey", ""); + saveDocument(userDocument, context); + XWikiUser xWikiUser = new XWikiUser(userDocument.getDocumentReference()); xWikiUser.setDisabled(false, context); xWikiUser.setEmailChecked(true, context); - saveDocument(userDocument, context); if (withConfirmEmail) { String email = userObject.getStringValue("email");
xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/XWikiTest.java+2 −0 modified@@ -580,6 +580,8 @@ public void testValidationKeyStorage() throws Exception this.xwiki.saveDocument(testUser, context); assertEquals(0, this.xwiki.validateUser(false, this.oldcore.getXWikiContext())); + XWikiDocument reloadedDocument = this.xwiki.getDocument(testUser, context); + assertEquals("", reloadedDocument.getObject("XWiki.XWikiUsers").getStringValue("validkey")); // Check with an incorrect plaintext key validationKey.setValue("wrong key");
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
5- github.com/advisories/GHSA-76mp-659p-rw65ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32620ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/f9a677408ffb06f309be46ef9d8df1915d9099a4ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-76mp-659p-rw65ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-17942ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.