Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/05/19/6

http://www.securityfocus.com/bid/108437

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078

https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

Related Vulnerabilities

CVE-2015-8131 Vulnerability in npm package kibana

CVE-2023-46115 Vulnerability in npm package @tauri-apps/cli

CVE-2018-1000148 Vulnerability in maven package org.jenkins-ci.plugins:copy-to-slave

CVE-2020-26272 Vulnerability in maven package org.webjars.npm:electron

CVE-2010-3863 Vulnerability in maven package org.apache.shiro:shiro-all

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory