Description

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.

Remediation

References

http://www.securityfocus.com/bid/107631

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2022-2390 Vulnerability in maven package com.google.android.gms:play-services-basement

CVE-2021-23411 Vulnerability in npm package anchorme

CVE-2012-3451 Vulnerability in maven package org.apache.cxf:cxf-rt-core

CVE-2022-25869 Vulnerability in maven package org.webjars.npm:angular

CVE-2018-1000125 Vulnerability in maven package com.inversoft:prime-jwt

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry Vendor Advisory