Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/05/19/6
http://www.securityfocus.com/bid/108437
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078
https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E
Related Vulnerabilities
CVE-2022-45397 Vulnerability in maven package org.jenkins-ci.plugins:osf-builder-suite-xml-linter
CVE-2007-6433 Vulnerability in maven package org.jboss.seam:jboss-seam
CVE-2019-25027 Vulnerability in maven package com.vaadin:flow-server
CVE-2017-5635 Vulnerability in maven package org.apache.nifi:nifi-framework-authorization
CVE-2016-8750 Vulnerability in maven package org.apache.karaf.jaas:org.apache.karaf.jaas.modules