Description

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.

Remediation

References

http://www.securityfocus.com/bid/107631

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2021-26539 Vulnerability in maven package org.webjars.npm:sanitize-html

CVE-2017-12624 Vulnerability in maven package org.apache.cxf:cxf-rt-frontend-jaxrs

CVE-2021-39234 Vulnerability in maven package org.apache.ozone:ozone-common

CVE-2023-26158 Vulnerability in maven package org.webjars.npm:mockjs

CVE-2018-11615 Vulnerability in npm package mosca

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry Vendor Advisory