XSS Vulnerability in Apache JSPWiki Affecting Multiple Plugins
CVE-2019-10078

6.1MEDIUM

Key Information:

Vendor

Apache
Status
Apache Jspwiki
Vendor
CVE Published:
20 May 2019

What is CVE-2019-10078?

A vulnerability exists in Apache JSPWiki versions 2.9.0 through 2.11.0.M3, where a crafted plugin link invocation can lead to cross-site scripting (XSS). This flaw potentially allows attackers to hijack user sessions by exploiting multiple plugins, with initial reports focusing on the ReferredPagesPlugin. Security measures are crucial to mitigate this risk, as the breadth of affected plugins increases the attack surface.

Affected Version(s)

Apache JSPWiki Apache JSPWiki 2.9.0 to 2.11.0.M3

References

https://lists.apache.org/thread.html/24f324ef11e43ba89ec9...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/aac253cfc33c0429b528...
mailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2019/05/19/6
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.