Vulnerabilites related to Apache Software Foundation - Apache JSPWiki
CVE-2022-27166 (GCVE-0-2022-27166)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 05:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability on XHRHtml2Markup.jsp
Summary
A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:39.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue was discovered by Salt, \u003csaltnekoko AT gmail DOT com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability on XHRHtml2Markup.jsp",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:17",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-27166",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue was discovered by Salt, \u003csaltnekoko AT gmail DOT com\u003e"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability on XHRHtml2Markup.jsp"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-27166",
"datePublished": "2022-08-04T06:15:17",
"dateReserved": "2022-03-14T00:00:00",
"dateUpdated": "2024-08-03T05:18:39.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28730 (GCVE-0-2022-28730)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 06:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- XSS
Summary
A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Poh Jia Hao, from Star Labs \u003cinfo AT starlabs DOT sg\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:29",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28730",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Poh Jia Hao, from Star Labs \u003cinfo AT starlabs DOT sg\u003e"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28730",
"datePublished": "2022-08-04T06:15:29",
"dateReserved": "2022-04-05T00:00:00",
"dateUpdated": "2024-08-03T06:03:52.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10077 (GCVE-0-2019-10077)
Vulnerability from cvelistv5
Published
2019-05-20 20:46
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability
Summary
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/05/19/5 | mailing-list, x_refsource_MLIST | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/108437 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-23T15:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10077",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"name": "108437",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108437"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10077",
"datePublished": "2019-05-20T20:46:15",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20242 (GCVE-0-2018-20242)
Vulnerability from cvelistv5
Published
2019-02-11 21:00
Modified
2024-09-17 01:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/106804 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: prior to 2.10.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:18.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106804",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106804"
},
{
"name": "[user] 20190130 [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability onApache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "prior to 2.10.5"
}
]
}
],
"datePublic": "2019-01-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-19T17:06:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "106804",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106804"
},
{
"name": "[user] 20190130 [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability onApache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2019-01-30T00:00:00",
"ID": "CVE-2018-20242",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "prior to 2.10.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106804",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106804"
},
{
"name": "[user] 20190130 [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability onApache JSPWiki",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4@%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-20242",
"datePublished": "2019-02-11T21:00:00Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-17T01:47:05.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10076 (GCVE-0-2019-10076)
Vulnerability from cvelistv5
Published
2019-05-20 20:31
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability
Summary
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/05/19/4 | mailing-list, x_refsource_MLIST | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/108437 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10076] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-23T15:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10076] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10076] Apache JSPWiki Cross-site scripting vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"name": "108437",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108437"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10076",
"datePublished": "2019-05-20T20:31:41",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28732 (GCVE-0-2022-28732)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 06:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- XSS
Summary
A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Wang Ran, from JDArmy, @jd.com "
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:57",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki Cross-site scripting vulnerability on WeblogPlugin",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28732",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki Cross-site scripting vulnerability on WeblogPlugin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Wang Ran, from JDArmy, @jd.com "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28732",
"datePublished": "2022-08-04T06:15:57",
"dateReserved": "2022-04-05T00:00:00",
"dateUpdated": "2024-08-03T06:03:52.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24948 (GCVE-0-2022-24948)
Vulnerability from cvelistv5
Published
2022-02-25 08:30
Modified
2024-08-03 04:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability on User Preferences screen
Summary
A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/02/25/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.128Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.1 "
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Paulos Yibelo, from Octagon Networks. "
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability on User Preferences screen",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-25T15:06:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24948",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.1 "
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Paulos Yibelo, from Octagon Networks. "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability on User Preferences screen"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24948",
"datePublished": "2022-02-25T08:30:19",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28731 (GCVE-0-2022-28731)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 06:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF Account Takeover
Summary
A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Fabrice Perez, \u003cfabioperez AT gmail DOT com\u003e "
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."
}
],
"metrics": [
{
"other": {
"content": {
"other": "critical"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF Account Takeover",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:43",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki CSRF in UserPreferences.jsp",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28731",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki CSRF in UserPreferences.jsp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Fabrice Perez, \u003cfabioperez AT gmail DOT com\u003e "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "critical"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF Account Takeover"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28731",
"datePublished": "2022-08-04T06:15:43",
"dateReserved": "2022-04-05T00:00:00",
"dateUpdated": "2024-08-03T06:03:52.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24854 (GCVE-0-2025-24854)
Vulnerability from cvelistv5
Published
2025-07-31 08:43
Modified
2025-07-31 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request using the Image plugin could trigger an XSS
vulnerability on Apache JSPWiki, which could allow the attacker to
execute javascript in the victim's browser and get some sensitive
information about the victim.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:38:50.896375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:04.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was separately discovered by both XBOW (https://github.com/xbow-security, https://xbow.com) and Hamed Kohi \u003c0x.hamy.1ATgmailDOTcom\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\n\n\n\n\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:43:18.886Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24854",
"datePublished": "2025-07-31T08:43:18.886Z",
"dateReserved": "2025-01-25T20:04:53.948Z",
"dateUpdated": "2025-07-31T17:55:04.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27136 (GCVE-0-2024-27136)
Vulnerability from cvelistv5
Published
2024-06-24 07:44
Modified
2025-03-20 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5 | vendor-advisory | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 ≤ 2.12.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T13:27:24.688821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:03:19.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-13T16:03:09.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/06/23/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by sonnh from Vietnam National Cyber security technology corporation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. "
}
],
"value": "XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. "
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T07:44:30.732Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-site scripting vulnerability on upload page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27136",
"datePublished": "2024-06-24T07:44:30.732Z",
"dateReserved": "2024-02-20T12:13:15.203Z",
"dateUpdated": "2025-03-20T18:03:19.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10078 (GCVE-0-2019-10078)
Vulnerability from cvelistv5
Published
2019-05-20 20:50
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability
Summary
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/05/19/6 | mailing-list, x_refsource_MLIST | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/108437 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-dev] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"name": "[jspwiki-dev] 20190521 Re: [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-23T15:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-dev] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"name": "[jspwiki-dev] 20190521 Re: [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10078",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-dev] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9@%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"name": "[jspwiki-dev] 20190521 Re: [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7@%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "108437",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108437"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10078",
"datePublished": "2019-05-20T20:50:54",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34158 (GCVE-0-2022-34158)
Vulnerability from cvelistv5
Published
2022-08-04 06:16
Modified
2024-08-03 08:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF group privilege escalation
Summary
A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:16:17.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Huiseong Seo (t0rchwo0d), \u003cawdr1624AT gmail DOT com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker\u0027s account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."
}
],
"metrics": [
{
"other": {
"content": {
"other": "critical"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF group privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:16:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User Group Privilege Escalation",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-34158",
"STATE": "PUBLIC",
"TITLE": "User Group Privilege Escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Huiseong Seo (t0rchwo0d), \u003cawdr1624AT gmail DOT com\u003e"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker\u0027s account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "critical"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF group privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-34158",
"datePublished": "2022-08-04T06:16:11",
"dateReserved": "2022-06-20T00:00:00",
"dateUpdated": "2024-08-03T08:16:17.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24853 (GCVE-0-2025-24853)
Vulnerability from cvelistv5
Published
2025-07-31 08:42
Modified
2025-07-31 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
in the victim's browser and get some sensitive information about the
victim.
Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:39:02.510980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:11.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was discovered by XBOW (https://github.com/xbow-security, https://xbow.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\u003c/p\u003e\n\u003cp\u003eFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\u003c/p\u003e\u003cp\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\n\n\nFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:42:06.453Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24853",
"datePublished": "2025-07-31T08:42:06.453Z",
"dateReserved": "2025-01-25T20:03:15.418Z",
"dateUpdated": "2025-07-31T17:55:11.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24947 (GCVE-0-2022-24947)
Vulnerability from cvelistv5
Published
2022-02-25 08:30
Modified
2024-08-03 04:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF Account Takeover
Summary
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/02/25/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24947] Apache JSPWiki CSRF Account Takeover",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.1 "
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks. "
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF Account Takeover",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-25T15:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24947] Apache JSPWiki CSRF Account Takeover",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki CSRF Account Takeover",
"workarounds": [
{
"lang": "en",
"value": "Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24947",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki CSRF Account Takeover"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.1 "
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks. "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF Account Takeover"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24947] Apache JSPWiki CSRF Account Takeover",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24947",
"datePublished": "2022-02-25T08:30:18",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40369 (GCVE-0-2021-40369)
Vulnerability from cvelistv5
Published
2021-11-24 11:15
Modified
2024-08-04 02:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CVE-2021-40369
Summary
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369 | x_refsource_MISC | |
| https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/08/03/3 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:44:09.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
},
{
"name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.11.0.M8",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache JSPWiki would like to thank map1e (root@lazymaple.pw) for discovering this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-2021-40369",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-03T23:06:20",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
},
{
"name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability on Denounce plugin",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40369",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability on Denounce plugin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "2.11.0.M8"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache JSPWiki would like to thank map1e (root@lazymaple.pw) for discovering this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CVE-2021-40369"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"name": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
},
{
"name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40369",
"datePublished": "2021-11-24T11:15:13",
"dateReserved": "2021-09-01T00:00:00",
"dateUpdated": "2024-08-04T02:44:09.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46907 (GCVE-0-2022-46907)
Vulnerability from cvelistv5
Published
2023-05-25 06:58
Modified
2025-02-13 16:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < Apache JSPWiki up to 2.12.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:47:27.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/25/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T19:56:09.990171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T19:56:24.015Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache JSPWiki up to 2.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Eugene Lim and Sng Jay Kai from Government Technology Agency of Singapore"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later.\u003cbr\u003e"
}
],
"value": "A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-25T07:00:09.411Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/05/25/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache JSPWiki: XSS Injection points in several plugins",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46907",
"datePublished": "2023-05-25T06:58:18.912Z",
"dateReserved": "2022-12-10T15:13:04.776Z",
"dateUpdated": "2025-02-13T16:33:58.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44140 (GCVE-0-2021-44140)
Vulnerability from cvelistv5
Published
2021-11-24 11:15
Modified
2024-08-04 04:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CVE-2021-44140
Summary
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140 | x_refsource_MISC | |
| https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:17:24.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.11.0.M8",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache JSPWiki would like to thank haby0 (forhaby0@gmail.com) from Duxiaoman Financial Security Team for discovering and proposing the fix for this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-2021-44140",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T11:15:14",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arbitrary file deletion on logout",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-44140",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file deletion on logout"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "2.11.0.M8"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache JSPWiki would like to thank haby0 (forhaby0@gmail.com) from Duxiaoman Financial Security Team for discovering and proposing the fix for this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CVE-2021-44140"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"name": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-44140",
"datePublished": "2021-11-24T11:15:14",
"dateReserved": "2021-11-22T00:00:00",
"dateUpdated": "2024-08-04T04:17:24.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}