Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/05/19/6

http://www.securityfocus.com/bid/108437

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078

https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2020-2149 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector

CVE-2023-48223 Vulnerability in npm package fast-jwt

CVE-2023-50723 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2023-37963 Vulnerability in maven package io.jenkins.plugins:benchmark-evaluator

CVE-2020-5397 Vulnerability in maven package org.springframework:spring-webflux

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory