Vulnerabilites related to apache - jspwiki
CVE-2022-27166 (GCVE-0-2022-27166)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 05:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability on XHRHtml2Markup.jsp
Summary
A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:18:39.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Issue was discovered by Salt, \u003csaltnekoko AT gmail DOT com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability on XHRHtml2Markup.jsp",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:17",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-27166",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability on XHRHtml2Markup.jsp in JSPWiki 2.11.2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Issue was discovered by Salt, \u003csaltnekoko AT gmail DOT com\u003e"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability on XHRHtml2Markup.jsp"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-27166",
"datePublished": "2022-08-04T06:15:17",
"dateReserved": "2022-03-14T00:00:00",
"dateUpdated": "2024-08-03T05:18:39.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28730 (GCVE-0-2022-28730)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 06:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- XSS
Summary
A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Poh Jia Hao, from Star Labs \u003cinfo AT starlabs DOT sg\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:29",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28730",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Poh Jia Hao, from Star Labs \u003cinfo AT starlabs DOT sg\u003e"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28730",
"datePublished": "2022-08-04T06:15:29",
"dateReserved": "2022-04-05T00:00:00",
"dateUpdated": "2024-08-03T06:03:52.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10077 (GCVE-0-2019-10077)
Vulnerability from cvelistv5
Published
2019-05-20 20:46
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability
Summary
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/05/19/5 | mailing-list, x_refsource_MLIST | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/108437 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-23T15:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10077",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"name": "108437",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108437"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10077",
"datePublished": "2019-05-20T20:46:15",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28732 (GCVE-0-2022-28732)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 06:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- XSS
Summary
A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.589Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Wang Ran, from JDArmy, @jd.com "
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:57",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki Cross-site scripting vulnerability on WeblogPlugin",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28732",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki Cross-site scripting vulnerability on WeblogPlugin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Wang Ran, from JDArmy, @jd.com "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28732",
"datePublished": "2022-08-04T06:15:57",
"dateReserved": "2022-04-05T00:00:00",
"dateUpdated": "2024-08-03T06:03:52.589Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24853 (GCVE-0-2025-24853)
Vulnerability from cvelistv5
Published
2025-07-31 08:42
Modified
2025-07-31 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
in the victim's browser and get some sensitive information about the
victim.
Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:39:02.510980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:11.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was discovered by XBOW (https://github.com/xbow-security, https://xbow.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\u003c/p\u003e\n\u003cp\u003eFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\u003c/p\u003e\u003cp\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\n\n\nFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:42:06.453Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24853",
"datePublished": "2025-07-31T08:42:06.453Z",
"dateReserved": "2025-01-25T20:03:15.418Z",
"dateUpdated": "2025-07-31T17:55:11.018Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24947 (GCVE-0-2022-24947)
Vulnerability from cvelistv5
Published
2022-02-25 08:30
Modified
2024-08-03 04:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF Account Takeover
Summary
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/02/25/1 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24947] Apache JSPWiki CSRF Account Takeover",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.1 "
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks. "
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF Account Takeover",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-25T15:06:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24947] Apache JSPWiki CSRF Account Takeover",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki CSRF Account Takeover",
"workarounds": [
{
"lang": "en",
"value": "Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24947",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki CSRF Account Takeover"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.1 "
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks. "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF Account Takeover"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24947] Apache JSPWiki CSRF Account Takeover",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24947",
"datePublished": "2022-02-25T08:30:18",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46907 (GCVE-0-2022-46907)
Vulnerability from cvelistv5
Published
2023-05-25 06:58
Modified
2025-02-13 16:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < Apache JSPWiki up to 2.12.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:47:27.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/25/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46907",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-09T19:56:09.990171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-09T19:56:24.015Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache JSPWiki up to 2.12.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by Eugene Lim and Sng Jay Kai from Government Technology Agency of Singapore"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later.\u003cbr\u003e"
}
],
"value": "A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-25T07:00:09.411Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/05/25/1"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache JSPWiki: XSS Injection points in several plugins",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-46907",
"datePublished": "2023-05-25T06:58:18.912Z",
"dateReserved": "2022-12-10T15:13:04.776Z",
"dateUpdated": "2025-02-13T16:33:58.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24948 (GCVE-0-2022-24948)
Vulnerability from cvelistv5
Published
2022-02-25 08:30
Modified
2024-08-03 04:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability on User Preferences screen
Summary
A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/02/25/2 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.128Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.1 "
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Paulos Yibelo, from Octagon Networks. "
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability on User Preferences screen",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-25T15:06:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24948",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.1 "
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Paulos Yibelo, from Octagon Networks. "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability on User Preferences screen"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
},
{
"name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24948",
"datePublished": "2022-02-25T08:30:19",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0224 (GCVE-0-2019-0224)
Vulnerability from cvelistv5
Published
2019-03-28 21:00
Modified
2024-08-04 17:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability
Summary
In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/107631 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.405Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-dev] 20190326 [CVE-2019-0224] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224"
},
{
"name": "107631",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107631"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M2"
}
]
}
],
"datePublic": "2019-03-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user\u0027s session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else\u0027s browser; only on its own browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-19T17:06:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-dev] 20190326 [CVE-2019-0224] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224"
},
{
"name": "107631",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107631"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0224",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M2"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user\u0027s session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else\u0027s browser; only on its own browser."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-dev] 20190326 [CVE-2019-0224] Apache JSPWiki Cross-site scripting vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67@%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224"
},
{
"name": "107631",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107631"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0224",
"datePublished": "2019-03-28T21:00:53",
"dateReserved": "2018-11-14T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24854 (GCVE-0-2025-24854)
Vulnerability from cvelistv5
Published
2025-07-31 08:43
Modified
2025-07-31 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request using the Image plugin could trigger an XSS
vulnerability on Apache JSPWiki, which could allow the attacker to
execute javascript in the victim's browser and get some sensitive
information about the victim.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:38:50.896375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:04.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was separately discovered by both XBOW (https://github.com/xbow-security, https://xbow.com) and Hamed Kohi \u003c0x.hamy.1ATgmailDOTcom\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\n\n\n\n\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:43:18.886Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24854",
"datePublished": "2025-07-31T08:43:18.886Z",
"dateReserved": "2025-01-25T20:04:53.948Z",
"dateUpdated": "2025-07-31T17:55:04.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-34158 (GCVE-0-2022-34158)
Vulnerability from cvelistv5
Published
2022-08-04 06:16
Modified
2024-08-03 08:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF group privilege escalation
Summary
A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:16:17.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Huiseong Seo (t0rchwo0d), \u003cawdr1624AT gmail DOT com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker\u0027s account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."
}
],
"metrics": [
{
"other": {
"content": {
"other": "critical"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF group privilege escalation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:16:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User Group Privilege Escalation",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-34158",
"STATE": "PUBLIC",
"TITLE": "User Group Privilege Escalation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Huiseong Seo (t0rchwo0d), \u003cawdr1624AT gmail DOT com\u003e"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker\u0027s account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "critical"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF group privilege escalation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-34158",
"datePublished": "2022-08-04T06:16:11",
"dateReserved": "2022-06-20T00:00:00",
"dateUpdated": "2024-08-03T08:16:17.225Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-0225 (GCVE-0-2019-0225)
Vulnerability from cvelistv5
Published
2019-03-28 21:07
Modified
2024-08-04 17:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure
Summary
A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:44:15.389Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-user] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-dev] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
},
{
"name": "[announce] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
},
{
"name": "107627",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/107627"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M2"
}
]
}
],
"datePublic": "2019-03-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users\u0027 details."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-19T17:06:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-user] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-dev] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
},
{
"name": "[announce] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
},
{
"name": "107627",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/107627"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-0225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M2"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users\u0027 details."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-user] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9@%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-dev] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831@%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
},
{
"name": "[announce] 20190326 [CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d@%3Cannounce.apache.org%3E"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
},
{
"name": "107627",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/107627"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-0225",
"datePublished": "2019-03-28T21:07:57",
"dateReserved": "2018-11-14T00:00:00",
"dateUpdated": "2024-08-04T17:44:15.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27136 (GCVE-0-2024-27136)
Vulnerability from cvelistv5
Published
2024-06-24 07:44
Modified
2025-03-20 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5 | vendor-advisory | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 ≤ 2.12.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-24T13:27:24.688821Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T18:03:19.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-13T16:03:09.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/06/23/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was discovered by sonnh from Vietnam National Cyber security technology corporation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. "
}
],
"value": "XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. "
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T07:44:30.732Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-site scripting vulnerability on upload page",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27136",
"datePublished": "2024-06-24T07:44:30.732Z",
"dateReserved": "2024-02-20T12:13:15.203Z",
"dateUpdated": "2025-03-20T18:03:19.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12407 (GCVE-0-2019-12407)
Vulnerability from cvelistv5
Published
2019-09-23 15:40
Modified
2024-08-04 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.0.M4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:40.131Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-23T15:40:59",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-12407",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-12407",
"datePublished": "2019-09-23T15:40:59",
"dateReserved": "2019-05-28T00:00:00",
"dateUpdated": "2024-08-04T23:17:40.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40369 (GCVE-0-2021-40369)
Vulnerability from cvelistv5
Published
2021-11-24 11:15
Modified
2024-08-04 02:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CVE-2021-40369
Summary
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369 | x_refsource_MISC | |
| https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2022/08/03/3 | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:44:09.644Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
},
{
"name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.11.0.M8",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache JSPWiki would like to thank map1e (root@lazymaple.pw) for discovering this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-2021-40369",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-03T23:06:20",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
},
{
"name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS vulnerability on Denounce plugin",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-40369",
"STATE": "PUBLIC",
"TITLE": "XSS vulnerability on Denounce plugin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "2.11.0.M8"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache JSPWiki would like to thank map1e (root@lazymaple.pw) for discovering this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "moderate"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CVE-2021-40369"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"name": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
},
{
"name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-40369",
"datePublished": "2021-11-24T11:15:13",
"dateReserved": "2021-09-01T00:00:00",
"dateUpdated": "2024-08-04T02:44:09.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10089 (GCVE-0-2019-10089)
Vulnerability from cvelistv5
Published
2019-09-23 14:51
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.0.M4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-23T14:51:02",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10089",
"datePublished": "2019-09-23T14:51:02",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44140 (GCVE-0-2021-44140)
Vulnerability from cvelistv5
Published
2021-11-24 11:15
Modified
2024-08-04 04:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CVE-2021-44140
Summary
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140 | x_refsource_MISC | |
| https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:17:24.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.11.0.M8",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache JSPWiki would like to thank haby0 (forhaby0@gmail.com) from Duxiaoman Financial Security Team for discovering and proposing the fix for this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CVE-2021-44140",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-24T11:15:14",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arbitrary file deletion on logout",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-44140",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file deletion on logout"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "2.11.0.M8"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache JSPWiki would like to thank haby0 (forhaby0@gmail.com) from Duxiaoman Financial Security Team for discovering and proposing the fix for this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CVE-2021-44140"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"name": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-44140",
"datePublished": "2021-11-24T11:15:14",
"dateReserved": "2021-11-22T00:00:00",
"dateUpdated": "2024-08-04T04:17:24.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12404 (GCVE-0-2019-12404)
Vulnerability from cvelistv5
Published
2019-09-23 14:54
Modified
2024-08-04 23:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.0.M4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:17:40.002Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-23T14:54:35",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-12404",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-12404",
"datePublished": "2019-09-23T14:54:35",
"dateReserved": "2019-05-28T00:00:00",
"dateUpdated": "2024-08-04T23:17:40.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-20242 (GCVE-0-2018-20242)
Vulnerability from cvelistv5
Published
2019-02-11 21:00
Modified
2024-09-17 01:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/106804 | vdb-entry, x_refsource_BID | |
| https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: prior to 2.10.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:58:18.686Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106804",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106804"
},
{
"name": "[user] 20190130 [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability onApache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "prior to 2.10.5"
}
]
}
],
"datePublic": "2019-01-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-19T17:06:00",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "106804",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106804"
},
{
"name": "[user] 20190130 [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability onApache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2019-01-30T00:00:00",
"ID": "CVE-2018-20242",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "prior to 2.10.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106804",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106804"
},
{
"name": "[user] 20190130 [CVE-2018-20242] Apache JSPWiki Cross-site scripting vulnerability onApache JSPWiki",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4@%3Cuser.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190329 [jspwiki-site] branch jbake updated: add CVE-2019-0224 and CVE-2019-0225 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-20242",
"datePublished": "2019-02-11T21:00:00Z",
"dateReserved": "2018-12-19T00:00:00",
"dateUpdated": "2024-09-17T01:47:05.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10076 (GCVE-0-2019-10076)
Vulnerability from cvelistv5
Published
2019-05-20 20:31
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability
Summary
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/05/19/4 | mailing-list, x_refsource_MLIST | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076 | x_refsource_CONFIRM | |
| http://www.securityfocus.com/bid/108437 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.207Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10076] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-23T15:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10076] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10076] Apache JSPWiki Cross-site scripting vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"name": "108437",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108437"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10076",
"datePublished": "2019-05-20T20:31:41",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10090 (GCVE-0-2019-10090)
Vulnerability from cvelistv5
Published
2019-09-23 15:26
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.0.M4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.441Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-23T15:26:14",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10090",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10090",
"datePublished": "2019-09-23T15:26:14",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28731 (GCVE-0-2022-28731)
Vulnerability from cvelistv5
Published
2022-08-04 06:15
Modified
2024-08-03 06:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CSRF Account Takeover
Summary
A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:03:52.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Fabrice Perez, \u003cfabioperez AT gmail DOT com\u003e "
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."
}
],
"metrics": [
{
"other": {
"content": {
"other": "critical"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF Account Takeover",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-04T06:15:43",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki CSRF in UserPreferences.jsp",
"workarounds": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue. "
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28731",
"STATE": "PUBLIC",
"TITLE": "Apache JSPWiki CSRF in UserPreferences.jsp"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache JSPWiki",
"version_value": "Apache JSPWiki up to 2.11.2"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Fabrice Perez, \u003cfabioperez AT gmail DOT com\u003e "
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "critical"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF Account Takeover"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Apache JSPWiki users should upgrade to 2.11.3 or later. Installations \u003e= 2.7.0 can also enable user management workflows\u0027 manual approval to mitigate the issue. "
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28731",
"datePublished": "2022-08-04T06:15:43",
"dateReserved": "2022-04-05T00:00:00",
"dateUpdated": "2024-08-03T06:03:52.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10087 (GCVE-0-2019-10087)
Vulnerability from cvelistv5
Published
2019-09-23 14:47
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Information Disclosure
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
| ▼ | URL | Tags |
|---|---|---|
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache JSPWiki |
Version: Apache JSPWiki up to 2.11.0.M4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-23T14:47:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10087",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki up to 2.11.0.M4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087",
"refsource": "MISC",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10087",
"datePublished": "2019-09-23T14:47:13",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-10078 (GCVE-0-2019-10078)
Vulnerability from cvelistv5
Published
2019-05-20 20:50
Modified
2024-08-04 22:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-site scripting vulnerability
Summary
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2019/05/19/6 | mailing-list, x_refsource_MLIST | |
| https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078 | x_refsource_CONFIRM | |
| https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/108437 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: Apache JSPWiki 2.9.0 to 2.11.0.M3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:10:09.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[jspwiki-dev] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"name": "[jspwiki-dev] 20190521 Re: [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-23T15:06:05",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[jspwiki-dev] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"name": "[jspwiki-dev] 20190521 Re: [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "108437",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108437"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-10078",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache JSPWiki",
"version": {
"version_data": [
{
"version_value": "Apache JSPWiki 2.9.0 to 2.11.0.M3"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[jspwiki-dev] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9@%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "[jspwiki-commits] 20190519 [jspwiki-site] branch jbake updated: added CVE-2019-10076, CVE-2019-10077 and CVE-2019-10078 vulnerability disclosures",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E"
},
{
"name": "[oss-security] 20190519 [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078",
"refsource": "CONFIRM",
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"name": "[jspwiki-dev] 20190521 Re: [CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7@%3Cdev.jspwiki.apache.org%3E"
},
{
"name": "108437",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108437"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-10078",
"datePublished": "2019-05-20T20:50:54",
"dateReserved": "2019-03-26T00:00:00",
"dateUpdated": "2024-08-04T22:10:09.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-05-20 21:29
Modified
2024-11-21 04:18
Severity ?
Summary
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CBB187A-7039-4E1C-BF98-D90AD57B6E07",
"versionEndIncluding": "2.11.0",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1.rc3:*:*:*:*:*:*",
"matchCriteriaId": "E8FD3601-1E39-4D89-BE89-829F0F2FAA5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable."
},
{
"lang": "es",
"value": "Una invocaci\u00f3n de un enlace Plugin cuidadosamente dise\u00f1ada podr\u00eda desencadenar una vulnerabilidad XSS en Apache JSPWiki 2.9.0 a 2.11.0.M3, lo que podr\u00eda llevar al secuestro de sesi\u00f3n. Los informes iniciales indicaron ReferredPagesPlugin, pero un an\u00e1lisis m\u00e1s detallado mostr\u00f3 que los complementos m\u00faltiples eran vulnerables."
}
],
"id": "CVE-2019-10078",
"lastModified": "2024-11-21T04:18:21.163",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-20T21:29:00.877",
"references": [
{
"source": "security@apache.org",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"source": "security@apache.org",
"url": "http://www.securityfocus.com/bid/108437"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/108437"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-23 16:15
Modified
2024-11-21 04:18
Severity ?
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jspwiki | * | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9490098B-32BC-4DE1-A91C-0DB1781B6551",
"versionEndIncluding": "2.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc3:*:*:*:*:*:*",
"matchCriteriaId": "17D5A1A7-4D6D-44E6-9EE8-93F306300346",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "E857BCCA-1DF1-4E97-939A-72F58CAF7682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc1:*:*:*:*:*:*",
"matchCriteriaId": "6A59A703-D91D-4841-AF98-CF64ED0657D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc2:*:*:*:*:*:*",
"matchCriteriaId": "62E87475-188A-4793-8FE2-99E8F407ABB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "FAD5C4C6-B329-4763-9F8D-3DEECEAF6258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc1:*:*:*:*:*:*",
"matchCriteriaId": "8C294E89-885D-4963-B00C-BA8F03AB99FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc2:*:*:*:*:*:*",
"matchCriteriaId": "615D6BA8-2E24-4A27-AD40-DEA5CBD47D76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
},
{
"lang": "es",
"value": "En Apache JSPWiki, hasta la versi\u00f3n 2.11.0.M4, una invocaci\u00f3n de enlace de plugin cuidadosamente dise\u00f1ada podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con el editor plano, lo que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener alguna informaci\u00f3n confidencial sobre la v\u00edctima."
}
],
"id": "CVE-2019-10090",
"lastModified": "2024-11-21T04:18:23.003",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-23T16:15:14.647",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-23 15:15
Modified
2024-11-21 04:22
Severity ?
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jspwiki | * | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9490098B-32BC-4DE1-A91C-0DB1781B6551",
"versionEndIncluding": "2.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc3:*:*:*:*:*:*",
"matchCriteriaId": "17D5A1A7-4D6D-44E6-9EE8-93F306300346",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "E857BCCA-1DF1-4E97-939A-72F58CAF7682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc1:*:*:*:*:*:*",
"matchCriteriaId": "6A59A703-D91D-4841-AF98-CF64ED0657D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc2:*:*:*:*:*:*",
"matchCriteriaId": "62E87475-188A-4793-8FE2-99E8F407ABB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "FAD5C4C6-B329-4763-9F8D-3DEECEAF6258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc1:*:*:*:*:*:*",
"matchCriteriaId": "8C294E89-885D-4963-B00C-BA8F03AB99FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc2:*:*:*:*:*:*",
"matchCriteriaId": "615D6BA8-2E24-4A27-AD40-DEA5CBD47D76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
},
{
"lang": "es",
"value": "En Apache JSPWiki, hasta la versi\u00f3n 2.11.0.M4, una invocaci\u00f3n de enlace de plugin cuidadosamente dise\u00f1ada podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con archivo InfoContent.jsp, lo que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener alguna informaci\u00f3n confidencial sobre la v\u00edctima."
}
],
"id": "CVE-2019-12404",
"lastModified": "2024-11-21T04:22:46.257",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-23T15:15:10.483",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-31 09:15
Modified
2025-08-04 13:13
Severity ?
Summary
A carefully crafted request using the Image plugin could trigger an XSS
vulnerability on Apache JSPWiki, which could allow the attacker to
execute javascript in the victim's browser and get some sensitive
information about the victim.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "387C1A91-C5D1-4062-828A-E2EF835C7408",
"versionEndExcluding": "2.12.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\n\n\n\n\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
},
{
"lang": "es",
"value": "Una solicitud cuidadosamente manipulada con el complemento Image podr\u00eda desencadenar una vulnerabilidad XSS en Apache JSPWiki, lo que podr\u00eda permitir al atacante ejecutar JavaScript en el navegador de la v\u00edctima y obtener informaci\u00f3n confidencial sobre ella. Los usuarios de Apache JSPWiki deber\u00edan actualizar a la versi\u00f3n 2.12.3 o posterior."
}
],
"id": "CVE-2025-24854",
"lastModified": "2025-08-04T13:13:52.373",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-31T09:15:27.650",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-04 07:15
Modified
2024-11-21 06:57
Severity ?
Summary
A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64A3E769-A3E7-4648-8792-5138BD591C1F",
"versionEndExcluding": "2.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later."
},
{
"lang": "es",
"value": "Una petici\u00f3n cuidadosamente dise\u00f1ada en el archivo AJAXPreview.jsp podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir informaci\u00f3n confidencial sobre la misma. Esta vulnerabilidad aprovecha la CVE-2021-40369, en la que el plugin de Denuncia renderiza peligrosamente las URLs suministradas por el usuario. Al volver a probar el CVE-2021-40369, parece que el parche estaba incompleto, ya que todav\u00eda era posible insertar entradas maliciosas por medio del plugin de Denuncia. Los usuarios de Apache JSPWiki deber\u00edan actualizar a la versi\u00f3n 2.11.3 o posterior"
}
],
"id": "CVE-2022-28730",
"lastModified": "2024-11-21T06:57:49.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-04T07:15:07.510",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-04 07:15
Modified
2024-11-21 06:55
Severity ?
Summary
A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64A3E769-A3E7-4648-8792-5138BD591C1F",
"versionEndExcluding": "2.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on XHRHtml2Markup.jsp could trigger an XSS vulnerability on Apache JSPWiki up to and including 2.11.2, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
},
{
"lang": "es",
"value": "Una petici\u00f3n cuidadosamente dise\u00f1ada en el archivo XHRHtml2Markup.jsp podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki versiones hasta 2.11.2 inclusive, lo que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir informaci\u00f3n confidencial sobre ella"
}
],
"id": "CVE-2022-27166",
"lastModified": "2024-11-21T06:55:19.760",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-04T07:15:07.377",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-06-24 08:15
Modified
2025-03-20 18:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FF7A52D-F6D4-4D76-89B4-A2DEF52B4012",
"versionEndExcluding": "2.12.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. "
},
{
"lang": "es",
"value": "XSS en la p\u00e1gina de carga en Apache JSPWiki 2.12.1 y versiones anteriores permite al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener informaci\u00f3n confidencial sobre la v\u00edctima. Los usuarios de Apache JSPWiki deben actualizar a 2.12.2 o posterior."
}
],
"id": "CVE-2024-27136",
"lastModified": "2025-03-20T18:15:17.993",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-06-24T08:15:09.297",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2024/06/23/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-24 12:15
Modified
2024-11-21 06:23
Severity ?
Summary
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/08/03/3 | Mailing List, Third Party Advisory | |
| security@apache.org | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369 | Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/08/03/3 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0EA27DB0-8A88-4DFF-AB00-A3E11C6D6181",
"versionEndExcluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later."
},
{
"lang": "es",
"value": "Una invocaci\u00f3n a un enlace de un plugin cuidadosamente dise\u00f1ado podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con el plugin Report, que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir alguna informaci\u00f3n confidencial sobre la misma. Los usuarios de Apache JSPWiki deber\u00edan actualizar a la versi\u00f3n 2.11.0 o posterior"
}
],
"id": "CVE-2021-40369",
"lastModified": "2024-11-21T06:23:58.353",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-24T12:15:07.597",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-04 07:15
Modified
2024-11-21 06:57
Severity ?
Summary
A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64A3E769-A3E7-4648-8792-5138BD591C1F",
"versionEndExcluding": "2.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on WeblogPlugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.3 or later."
},
{
"lang": "es",
"value": "Una petici\u00f3n cuidadosamente dise\u00f1ada en WeblogPlugin podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir informaci\u00f3n confidencial sobre la misma. Los usuarios de Apache JSPWiki deber\u00edan actualizar a la versi\u00f3n 2.11.3 o posterior"
}
],
"id": "CVE-2022-28732",
"lastModified": "2024-11-21T06:57:49.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-04T07:15:07.597",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-28 22:29
Modified
2024-11-21 04:16
Severity ?
Summary
A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users' details.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E36A808E-4950-42D9-92AF-8E64F2E02F36",
"versionEndExcluding": "2.11.0",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:-:*:*:*:*:*:*",
"matchCriteriaId": "E13B516A-8D6B-4B6C-882E-A282CFE0E587",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85C9FA6-A699-48DE-A2DA-52363B21C319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "66D0D950-02DD-4D47-ADA6-F030E3A38584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone1-rc3:*:*:*:*:*:*",
"matchCriteriaId": "FA52AF2B-E714-4769-A9D4-DB46C1ACFFA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "F88F497A-C3A3-4363-BBFA-249C465DD6CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "3A2FEDF8-A4F7-42B6-BC4C-60CC1F08845A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki 2.9.0 to 2.11.0.M2, which could be used by an attacker to obtain registered users\u0027 details."
},
{
"lang": "es",
"value": "Una URL especialmente manipulada podr\u00eda utilizarse para acceder a archivos en el directorio ROOT de la aplicaci\u00f3n de Apache JSPWiki, desde la versi\u00f3n 2.9.0 hasta la 2.11.0.M2, lo que podr\u00eda ser utilizado por un atacante para obtener los detalles de los usuarios registrados."
}
],
"id": "CVE-2019-0225",
"lastModified": "2024-11-21T04:16:32.130",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-28T22:29:00.683",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107627"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/26/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0225"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/03ddbcb1d6322e04734e65805a147a32bcfdb71b8fc5821fb046ba8d%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/4f19fdbd8b9c4caf6137a459d723f4ec60379b033ed69277eb4e0af9%40%3Cuser.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/6251c06cb11e0b495066be73856592dbd7ed712487ef283d10972831%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-24 12:15
Modified
2024-11-21 06:30
Severity ?
Summary
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140 | Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0EA27DB0-8A88-4DFF-AB00-A3E11C6D6181",
"versionEndExcluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later."
},
{
"lang": "es",
"value": "Unos atacantes remotos pueden eliminar archivos arbitrarios en un sistema que aloja una instancia de JSPWiki, versiones hasta 2.11.0.M8, al usar una petici\u00f3n http cuidadosamente dise\u00f1ada al cerrar la sesi\u00f3n, dado que esos archivos son accesibles para el usuario que ejecuta la instancia de JSPWiki. Los usuarios de Apache JSPWiki deber\u00edan actualizar a la versi\u00f3n 2.11.0 o posterior"
}
],
"id": "CVE-2021-44140",
"lastModified": "2024-11-21T06:30:25.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-24T12:15:07.663",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-276"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-28 21:29
Modified
2024-11-21 04:16
Severity ?
Summary
In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8CB0BA31-EE4B-417A-A794-CE825A4DCEE6",
"versionEndIncluding": "2.10.5",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "1D391ED8-C176-4C60-BC0D-D92E6DF7CA57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85C9FA6-A699-48DE-A2DA-52363B21C319",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "66D0D950-02DD-4D47-ADA6-F030E3A38584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone1-rc3:*:*:*:*:*:*",
"matchCriteriaId": "FA52AF2B-E714-4769-A9D4-DB46C1ACFFA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "F88F497A-C3A3-4363-BBFA-249C465DD6CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:milestone2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "3A2FEDF8-A4F7-42B6-BC4C-60CC1F08845A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user\u0027s session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else\u0027s browser; only on its own browser."
},
{
"lang": "es",
"value": "En Apache JSPWiki, desde la versi\u00f3n 2.9.0 hasta la 2.11.0M2, una URL especialmente manipulada podr\u00eda ejecutar JavaScript en la sesi\u00f3n de otro usuario. Ninguna informaci\u00f3n podr\u00eda grabarse en el servidor o la base de datos jspwiki, ni un atacante podr\u00eda ejecutar JavaScript en el navegador de otro usuario; solo podr\u00eda hacerlo en el suyo."
}
],
"id": "CVE-2019-0224",
"lastModified": "2024-11-21T04:16:31.940",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-28T21:29:00.243",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107631"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/107631"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-23 15:15
Modified
2024-11-21 04:18
Severity ?
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jspwiki | * | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9490098B-32BC-4DE1-A91C-0DB1781B6551",
"versionEndIncluding": "2.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc3:*:*:*:*:*:*",
"matchCriteriaId": "17D5A1A7-4D6D-44E6-9EE8-93F306300346",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "E857BCCA-1DF1-4E97-939A-72F58CAF7682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc1:*:*:*:*:*:*",
"matchCriteriaId": "6A59A703-D91D-4841-AF98-CF64ED0657D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc2:*:*:*:*:*:*",
"matchCriteriaId": "62E87475-188A-4793-8FE2-99E8F407ABB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "FAD5C4C6-B329-4763-9F8D-3DEECEAF6258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc1:*:*:*:*:*:*",
"matchCriteriaId": "8C294E89-885D-4963-B00C-BA8F03AB99FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc2:*:*:*:*:*:*",
"matchCriteriaId": "615D6BA8-2E24-4A27-AD40-DEA5CBD47D76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
},
{
"lang": "es",
"value": "En Apache JSPWiki, hasta la versi\u00f3n 2.11.0.M4, una invocaci\u00f3n de enlace de plugin cuidadosamente dise\u00f1ada podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con el editor WYSIWYG, lo que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener alguna informaci\u00f3n confidencial sobre la v\u00edctima."
}
],
"id": "CVE-2019-10089",
"lastModified": "2024-11-21T04:18:22.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-23T15:15:10.420",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-04 07:15
Modified
2024-11-21 07:08
Severity ?
Summary
A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64A3E769-A3E7-4648-8792-5138BD591C1F",
"versionEndExcluding": "2.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker\u0027s account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page."
},
{
"lang": "es",
"value": "Una invocaci\u00f3n cuidadosamente dise\u00f1ada en el plugin Image podr\u00eda desencadenar una vulnerabilidad de tipo CSRF en Apache JSPWiki versiones anteriores a 2.11.3, que podr\u00eda permitir una escalada de privilegios de grupo de la cuenta del atacante. Un examen m\u00e1s detallado de este problema determin\u00f3 que tambi\u00e9n pod\u00eda usarse para modificar el correo electr\u00f3nico asociado a la cuenta atacada, y luego una petici\u00f3n de restablecimiento de contrase\u00f1a desde la p\u00e1gina de inicio de sesi\u00f3n"
}
],
"id": "CVE-2022-34158",
"lastModified": "2024-11-21T07:08:58.297",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-04T07:15:07.650",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-02-11 21:29
Modified
2024-11-21 04:01
Severity ?
Summary
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9490098B-32BC-4DE1-A91C-0DB1781B6551",
"versionEndIncluding": "2.10.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking."
},
{
"lang": "es",
"value": "Una URL cuidadosamente manipulada podr\u00eda provicar una vulnerabilidad Cross-Site Scripting (XSS) en Apache JSPWiki, desde las versiones hasta la 2.10.5, lo que podr\u00eda conducir al secuestro de sesiones."
}
],
"id": "CVE-2018-20242",
"lastModified": "2024-11-21T04:01:09.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-02-11T21:29:00.287",
"references": [
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106804"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106804"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-20 21:29
Modified
2024-11-21 04:18
Severity ?
Summary
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CBB187A-7039-4E1C-BF98-D90AD57B6E07",
"versionEndIncluding": "2.11.0",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1.rc3:*:*:*:*:*:*",
"matchCriteriaId": "E8FD3601-1E39-4D89-BE89-829F0F2FAA5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
},
{
"lang": "es",
"value": "Un archivo adjunto malicioso cuidadosamente dise\u00f1ado podr\u00eda desencadenar una vulnerabilidad XSS en Apache JSPWiki 2.9.0 a 2.11.0.M3, lo que podr\u00eda provocar el secuestro de la sesi\u00f3n."
}
],
"id": "CVE-2019-10076",
"lastModified": "2024-11-21T04:18:20.857",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-20T21:29:00.753",
"references": [
{
"source": "security@apache.org",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"source": "security@apache.org",
"url": "http://www.securityfocus.com/bid/108437"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/108437"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-20 21:29
Modified
2024-11-21 04:18
Severity ?
Summary
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CBB187A-7039-4E1C-BF98-D90AD57B6E07",
"versionEndIncluding": "2.11.0",
"versionStartIncluding": "2.9.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1.rc3:*:*:*:*:*:*",
"matchCriteriaId": "E8FD3601-1E39-4D89-BE89-829F0F2FAA5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking."
},
{
"lang": "es",
"value": "Un enlace InterWiki cuidadosamente dise\u00f1ado podr\u00eda desencadenar una vulnerabilidad XSS en Apache JSPWiki 2.9.0 a 2.11.0.M3, lo que podr\u00eda llevar al secuestro de sesi\u00f3n."
}
],
"id": "CVE-2019-10077",
"lastModified": "2024-11-21T04:18:21.030",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-20T21:29:00.817",
"references": [
{
"source": "security@apache.org",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"source": "security@apache.org",
"url": "http://www.securityfocus.com/bid/108437"
},
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2019/05/19/5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/108437"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-25 07:15
Modified
2025-02-13 17:15
Severity ?
Summary
A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/05/25/1 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/05/25/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94906882-0669-4248-850D-2338931F0244",
"versionEndExcluding": "2.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on several JSPWiki plugins could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.0 or later."
}
],
"id": "CVE-2022-46907",
"lastModified": "2025-02-13T17:15:48.760",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-25T07:15:08.620",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/25/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/05/25/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/1m0mkq2nttx8tn94m11mytn4f0tv1504"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-23 16:15
Modified
2024-11-21 04:22
Severity ?
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jspwiki | * | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9490098B-32BC-4DE1-A91C-0DB1781B6551",
"versionEndIncluding": "2.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc3:*:*:*:*:*:*",
"matchCriteriaId": "17D5A1A7-4D6D-44E6-9EE8-93F306300346",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "E857BCCA-1DF1-4E97-939A-72F58CAF7682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc1:*:*:*:*:*:*",
"matchCriteriaId": "6A59A703-D91D-4841-AF98-CF64ED0657D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc2:*:*:*:*:*:*",
"matchCriteriaId": "62E87475-188A-4793-8FE2-99E8F407ABB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "FAD5C4C6-B329-4763-9F8D-3DEECEAF6258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc1:*:*:*:*:*:*",
"matchCriteriaId": "8C294E89-885D-4963-B00C-BA8F03AB99FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc2:*:*:*:*:*:*",
"matchCriteriaId": "615D6BA8-2E24-4A27-AD40-DEA5CBD47D76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
},
{
"lang": "es",
"value": "En Apache JSPWiki, hasta la versi\u00f3n 2.11.0.M4, una invocaci\u00f3n de enlace de plugin cuidadosamente dise\u00f1ada podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con el par\u00e1metro remember en algunos de los JSP, lo que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener informaci\u00f3n confidencial sobre la v\u00edctima."
}
],
"id": "CVE-2019-12407",
"lastModified": "2024-11-21T04:22:46.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-23T16:15:14.977",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-25 09:15
Modified
2024-11-21 06:51
Severity ?
Summary
A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/02/25/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/02/25/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300AE80B-D0D2-43AA-973A-2589F59C796D",
"versionEndExcluding": "2.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
},
{
"lang": "es",
"value": "Un env\u00edo de preferencias de usuario cuidadosamente dise\u00f1ado podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con la pantalla de preferencias de usuario, que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir alguna informaci\u00f3n confidencial sobre la misma. Los usuarios de Apache JSPWiki deber\u00edan actualizar a versi\u00f3n 2.11.2 o posterior.\n"
}
],
"id": "CVE-2022-24948",
"lastModified": "2024-11-21T06:51:26.440",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-25T09:15:07.047",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-31 09:15
Modified
2025-08-04 13:13
Severity ?
Summary
A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
in the victim's browser and get some sensitive information about the
victim.
Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "387C1A91-C5D1-4062-828A-E2EF835C7408",
"versionEndExcluding": "2.12.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\n\n\nFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
},
{
"lang": "es",
"value": "Una solicitud cuidadosamente manipulada al crear un enlace de encabezado con la sintaxis de marcado wiki podr\u00eda permitir al atacante ejecutar JavaScript en el navegador de la v\u00edctima y obtener informaci\u00f3n confidencial sobre ella. Investigaciones posteriores del equipo de JSPWiki demostraron que el analizador de Markdown tambi\u00e9n permit\u00eda este tipo de ataque. Los usuarios de Apache JSPWiki deber\u00edan actualizar a la versi\u00f3n 2.12.3 o posterior."
}
],
"id": "CVE-2025-24853",
"lastModified": "2025-08-04T13:13:54.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-31T09:15:26.160",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-02-25 09:15
Modified
2024-11-21 06:51
Severity ?
Summary
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/02/25/1 | Mailing List, Mitigation, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c | Mailing List, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/02/25/1 | Mailing List, Mitigation, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c | Mailing List, Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "300AE80B-D0D2-43AA-973A-2589F59C796D",
"versionEndExcluding": "2.11.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later."
},
{
"lang": "es",
"value": "El formulario de preferencias de usuario de Apache JSPWiki es vulnerable a ataques de tipo CSRF, que pueden conllevar a una toma de posesi\u00f3n de la cuenta. Los usuarios de Apache JSPWiki deber\u00edan actualizar a versi\u00f3n 2.11.2 o posterior.\n"
}
],
"id": "CVE-2022-24947",
"lastModified": "2024-11-21T06:51:26.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-25T09:15:07.007",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Mitigation",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/02/25/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Mitigation",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02c"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-04 07:15
Modified
2024-11-21 06:57
Severity ?
Summary
A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@apache.org | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | Not Applicable, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 | Not Applicable, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64A3E769-A3E7-4648-8792-5138BD591C1F",
"versionEndExcluding": "2.11.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."
},
{
"lang": "es",
"value": "Una petici\u00f3n cuidadosamente dise\u00f1ada en el archivo UserPreferences.jsp podr\u00eda desencadenar una vulnerabilidad de tipo CSRF en Apache JSPWiki versiones 2.11.3, que podr\u00eda permitir al atacante modificar el correo electr\u00f3nico asociado a la cuenta atacada, y luego una petici\u00f3n de restablecimiento de contrase\u00f1a desde la p\u00e1gina de inicio de sesi\u00f3n"
}
],
"id": "CVE-2022-28731",
"lastModified": "2024-11-21T06:57:49.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-04T07:15:07.557",
"references": [
{
"source": "security@apache.org",
"tags": [
"Not Applicable",
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable",
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-23 15:15
Modified
2024-11-21 04:18
Severity ?
Summary
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jspwiki | * | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 | |
| apache | jspwiki | 2.11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9490098B-32BC-4DE1-A91C-0DB1781B6551",
"versionEndIncluding": "2.10.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "695F7479-0378-43BA-B4EF-2720D9D603B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc1:*:*:*:*:*:*",
"matchCriteriaId": "FED3FE19-F79F-4935-A399-D02502257719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc2:*:*:*:*:*:*",
"matchCriteriaId": "C4F7A3FC-749D-4074-B8C5-B2E413E059E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m1-rc3:*:*:*:*:*:*",
"matchCriteriaId": "17D5A1A7-4D6D-44E6-9EE8-93F306300346",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2:*:*:*:*:*:*",
"matchCriteriaId": "544E5477-CADE-4E6A-B0AF-E178CE98CD39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m2-rc1:*:*:*:*:*:*",
"matchCriteriaId": "1518742F-4C6F-488F-8510-6D5774F46D6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3:*:*:*:*:*:*",
"matchCriteriaId": "E857BCCA-1DF1-4E97-939A-72F58CAF7682",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc1:*:*:*:*:*:*",
"matchCriteriaId": "6A59A703-D91D-4841-AF98-CF64ED0657D9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m3-rc2:*:*:*:*:*:*",
"matchCriteriaId": "62E87475-188A-4793-8FE2-99E8F407ABB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4:*:*:*:*:*:*",
"matchCriteriaId": "FAD5C4C6-B329-4763-9F8D-3DEECEAF6258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc1:*:*:*:*:*:*",
"matchCriteriaId": "8C294E89-885D-4963-B00C-BA8F03AB99FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jspwiki:2.11.0:m4-rc2:*:*:*:*:*:*",
"matchCriteriaId": "615D6BA8-2E24-4A27-AD40-DEA5CBD47D76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim."
},
{
"lang": "es",
"value": "En Apache JSPWiki, hasta la versi\u00f3n 2.11.0.M4, una invocaci\u00f3n de enlace de plugin cuidadosamente dise\u00f1ada podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con el Historial de Revisi\u00f3n de P\u00e1gina, lo que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y obtener alguna informaci\u00f3n confidencial sobre la v\u00edctima."
}
],
"id": "CVE-2019-10087",
"lastModified": "2024-11-21T04:18:22.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-23T15:15:10.327",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}