Description
In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.
Remediation
References
http://www.securityfocus.com/bid/107631
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224
https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E
Related Vulnerabilities
CVE-2016-10519 Vulnerability in npm package bittorrent-dht
CVE-2020-8192 Vulnerability in npm package fastify
CVE-2020-7792 Vulnerability in maven package org.webjars.npm:mout
CVE-2019-12041 Vulnerability in maven package org.webjars:remarkable
CVE-2018-16487 Vulnerability in maven package org.webjars.npm:lodash