Description

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.

Remediation

References

http://www.securityfocus.com/bid/107631

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2022-43431 Vulnerability in maven package com.compuware.jenkins:compuware-strobe-measurement

CVE-2022-22931 Vulnerability in maven package org.apache.james:james-server

CVE-2017-2652 Vulnerability in maven package org.jvnet.hudson.plugins:distfork

CVE-2021-44906 Vulnerability in maven package org.webjars.bowergithub.substack:minimist

CVE-2019-16775 Vulnerability in npm package bin-links

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry Vendor Advisory