Description
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
Remediation
References
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140
https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t
Related Vulnerabilities
CVE-2023-35925 Vulnerability in maven package com.fastasyncworldedit:fastasyncworldedit-bukkit
CVE-2020-6451 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-34464 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2020-7651 Vulnerability in npm package snyk-broker
CVE-2022-23708 Vulnerability in maven package org.elasticsearch:elasticsearch