Description

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.

Remediation

References

http://www.securityfocus.com/bid/107631

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2016-10519 Vulnerability in npm package bittorrent-dht

CVE-2020-8192 Vulnerability in npm package fastify

CVE-2020-7792 Vulnerability in maven package org.webjars.npm:mout

CVE-2019-12041 Vulnerability in maven package org.webjars:remarkable

CVE-2018-16487 Vulnerability in maven package org.webjars.npm:lodash

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory VDB Entry Vendor Advisory