{"id":"CVE-2021-32621","details":"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.","aliases":["GHSA-h353-hc43-95vc"],"modified":"2026-03-13T22:16:11.979557Z","published":"2021-05-28T21:15:08.980Z","related":["GHSA-h353-hc43-95vc"],"references":[{"type":"ADVISORY","url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc"},{"type":"REPORT","url":"https://jira.xwiki.org/browse/XWIKI-17794"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc"},{"type":"EVIDENCE","url":"https://jay-from-future.github.io/cve/2021/06/17/xwiki-rce-cve.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"804f16c0efbf6ba3d08c7ad780b81b7203741d8c"},{"fixed":"82cca0679aa3d0e04a0f64e74d30f4ba79e0d416"},{"introduced":"612251661a3a45798f307c1d3eafd3b269730a8d"},{"fixed":"1c043970cac11a297f1c0744db90ba1421d582a5"},{"introduced":"0"},{"last_affected":"75c1bed0bf998a62cd9464d5070b0984dae1a04a"},{"introduced":"0"},{"last_affected":"729a4bf9e5dfc1e3a79b5120eca8147a5715ff8f"},{"fixed":"bb7068bd911f91e5511f3cfb03276c7ac81100bc"}],"database_specific":{"versions":[{"introduced":"3.0.1"},{"fixed":"12.6.7"},{"introduced":"12.10"},{"fixed":"12.10.3"},{"introduced":"0"},{"last_affected":"3.0-NA"},{"introduced":"0"},{"last_affected":"3.0-milestone3"}]}}],"database_specific":{"vanir_signatures":[{"source":"https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc","signature_version":"v1","id":"CVE-2021-32621-59ce8767","digest":{"length":1005,"function_hash":"320410905558089094281692022948328430153"},"deprecated":false,"signature_type":"Function","target":{"function":"getGadgets","file":"xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java"}},{"source":"https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc","signature_version":"v1","id":"CVE-2021-32621-796e8fae","digest":{"line_hashes":["253825524754872925471870056296194100151","246231334577973883233300413877574428917","266794873904673098447877299958028924968","20136689313709188912260709072125715415","24347539411103939997957456250745781424","308423107115460905053613977459743676507","132426658199235778085679212435919208817","295803082873100392308989118164918124093","290601319325029777080427844168705597837","244691295763764658791769228348765481688","110602821388625314495288269469377767865","150834224865473128030359799419405465885","144211676287051941019438726717970355434","217814406885121996619973149776895151698","134212944258462178064134777224384914862","53353947765768316107488710153612568163","321430418941069131196007472431619244262","302647718985098805089167321151920783999","36677443527597280127369445784096817817","202620142384334519492030889394489091097","15548933824433952531435999933224021074","21442905281451565793770816888467751731","292545816074350483186573137975517557845","102167274986190022125414330938554412408","33813606929943517251747600128368821029","305031149979779869987921109516333835857","100509612677401975700681450659544709267","217029625547371224339014733429564770316","183384359119283323032633264849246325111","153103528490214334915846244854463816735","65596983425684319649064981181962710540","113191135265617563443761591617860483938","92413034176314844970802352667786995969","142515433425196326574614725368789994297","16272837630852043056359228231602364839","259342618098353589188741747391196199502","55320252117280574202930803484819258689","3304352288304965621828175823238381909","164122255735781601640865997919345587809","109324526046608358649789618361128211877","146430294455283343440845945319109891609"],"threshold":0.9},"deprecated":false,"signature_type":"Line","target":{"file":"xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java"}},{"source":"https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc","signature_version":"v1","id":"CVE-2021-32621-81dd54ba","digest":{"length":1258,"function_hash":"33375473102262479671447847022027611077"},"deprecated":false,"signature_type":"Function","target":{"function":"prepareGadgets","file":"xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/main/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSource.java"}},{"source":"https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc","signature_version":"v1","id":"CVE-2021-32621-92bb4c18","digest":{"length":2229,"function_hash":"283491026083551100588717491686267796562"},"deprecated":false,"signature_type":"Function","target":{"function":"setup","file":"xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/test/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSourceTest.java"}},{"source":"https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc","signature_version":"v1","id":"CVE-2021-32621-f85581f5","digest":{"line_hashes":["27546729016509600432046951463681857115","327806149183543796428016526254439075994","226457648369618218380735137449165852403","283304107780773524003167056351693901210","49572689214454380636041099751709499519","34198036493635760434176264058853505546","39023952895122358705721879189030109762","193760471552211522497473047731003711897","71275962790752498558554383750928586633","251521822633896693155860326690800962829","177359891142590041267097881812554527492","57688733293763263633283076611567345769","124479147727079482209377287857261616807","114111363913194830210338655080586436575","212927241456065567655087731127107111725","29071307420221519467851764248679665711","104065128676037727777524997613468551741","107152879788811108262242940507594226780","21919405188680667282878953298372722176","232541998267856711667649019501085133366","316532816246079767045661959948274575322","205370094394958551912751111524421759028","213641488172193250183708637741393415395","307412470134478280260614531311113880948","315073376998828374014972663005707912892","157400678479481631308474154347157194994","70398978414177221523848211065678943258","98709189384888709894899428254250063725","188581809417913851695671278888841949837","124795088745617588091869729050530332460","275880931230196279795631052040532255304","100653908201686917345166980793193411258"],"threshold":0.9},"deprecated":false,"signature_type":"Line","target":{"file":"xwiki-platform-core/xwiki-platform-dashboard/xwiki-platform-dashboard-macro/src/main/java/org/xwiki/rendering/internal/macro/dashboard/DefaultGadgetSource.java"}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.0-rc1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32621.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}