CVE-2021-32732 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the xwiki-platform, an open-source wiki and collaboration platform widely used for knowledge management and documentation. The vulnerability exists in the 'Forgot username' functionality of the platform, where an attacker can forge HTTP requests to the Forgot username page without any CSRF protection mechanisms in place. This allows an attacker to determine whether a given email address is associated with an account on the wiki and to enumerate usernames tied to that email. The lack of CSRF tokens or other anti-CSRF controls means that automated, repeated requests can be made easily, enabling large-scale enumeration attacks. This information disclosure can facilitate further targeted attacks such as phishing or social engineering. The vulnerability affects xwiki-platform versions prior to 12.10.5 and versions from 13.0 up to but not including 13.2RC1. The vendor has released two patches: one to add CSRF protection and another to enhance the Forgot username process by requiring email verification, thus mitigating the risk of automated enumeration. Workarounds include manually editing the ForgotUsername page or the forgotusername.vm file to implement CSRF protections, but upgrading to patched versions is strongly recommended. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery).

For European organizations using xwiki-platform, this vulnerability poses a moderate risk primarily related to information disclosure and user privacy. Attackers can leverage the flaw to enumerate valid user accounts linked to email addresses, which can be used to craft targeted phishing campaigns or social engineering attacks, potentially leading to credential theft or unauthorized access. While the vulnerability does not directly allow account takeover or system compromise, the exposure of user information undermines confidentiality and can facilitate subsequent attacks. Organizations with sensitive or regulated data, such as government agencies, healthcare, or financial institutions, may face compliance and reputational risks if user data is exposed. The ease of exploitation—requiring no authentication and no user interaction beyond visiting a malicious page—means that attackers can automate reconnaissance at scale. However, the impact on system integrity and availability is low, as the vulnerability does not allow modification or disruption of services. Overall, the threat is significant for organizations relying on xwiki-platform for internal or external collaboration, especially where user privacy is critical.

1. Upgrade xwiki-platform to version 12.10.5 or later, or 13.2RC1 or later, where the vulnerability is fully patched. 2. If immediate upgrade is not feasible, manually apply the workaround by editing the ForgotUsername page as per the vendor's recommended code changes to add CSRF protection. For versions after 13.x, modify the forgotusername.vm file to implement CSRF tokens or similar anti-CSRF mechanisms. 3. Implement web application firewall (WAF) rules to detect and block suspicious repeated requests to the Forgot username endpoint, limiting automated enumeration attempts. 4. Monitor logs for unusual activity targeting the Forgot username functionality, such as high volumes of requests from single IP addresses or unusual user-agent strings. 5. Educate users about phishing risks, especially if their usernames or emails could be exposed, and encourage strong, unique passwords and multi-factor authentication where possible. 6. Review and tighten email verification and notification processes related to account recovery to detect and alert on suspicious activity. 7. Conduct regular security assessments and penetration tests focusing on user enumeration and CSRF vulnerabilities to ensure no regressions occur.