Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/05/19/6

http://www.securityfocus.com/bid/108437

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078

https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2023-31206 Vulnerability in maven package org.apache.inlong:manager-test

CVE-2020-35460 Vulnerability in maven package net.sf.mpxj:mpxj

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk18on

CVE-2020-36732 Vulnerability in maven package org.webjars.bowergithub.brix:crypto-js

CVE-2013-4286 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory