Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Remediation

References

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078

http://www.openwall.com/lists/oss-security/2019/05/19/6

http://www.securityfocus.com/bid/108437

https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2023-31058 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2023-37956 Vulnerability in maven package org.jenkins-ci.plugins:test-results-aggregator

CVE-2023-26476 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livetable-ui

CVE-2023-46115 Vulnerability in npm package @tauri-apps/cli

CVE-2023-35146 Vulnerability in maven package org.jenkins.plugin.templateworkflows:template-workflows

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory