A user without PR can reset user authentication failures information

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights. An attacher with script rights who is able to reset the authentication failure record might perform a brute force attack, since they would be able to virtually deactivate the mechanism introduced to mitigate those attacks. The problem has been patched in version 12.6.8, 12.10.4 and 13.0. There are no workarounds aside from upgrading.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

保护机制失效

Xwiki Platform 授权问题漏洞

Xwiki Platform是法国Xwiki公司的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 12.6.88、12.10.4和13.0之前的版本中存在安全漏洞，该漏洞源于重置认证失败记录的脚本服务方法可以由任何具有脚本权限的用户执行而不需要具有编程权限。

N/A

N/A