Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/05/19/6

http://www.securityfocus.com/bid/108437

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078

https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2022-36886 Vulnerability in maven package org.jenkins-ci.plugins:external-monitor-job

CVE-2019-20503 Vulnerability in npm package electron

CVE-2011-4605 Vulnerability in maven package org.jboss.naming:jnpserver

CVE-2023-50721 Vulnerability in maven package org.xwiki.platform:xwiki-platform-search-ui

CVE-2021-44791 Vulnerability in maven package org.apache.druid:druid

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory