XSS vulnerability on Denounce plugin
CVE-2021-40369

6.1MEDIUM

Key Information:

Vendor: Apache
Status: Apache Jspwiki
Vendor: CVE Published:; 24 November 2021

Summary

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later.

Affected Version(s)

Apache JSPWiki Apache JSPWiki <= 2.11.0.M8

References

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369

x_refsource_MISC

https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2022/08/03/3

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 24, 2021
Vulnerability Reserved
Sep 1, 2021

Credit

Apache JSPWiki would like to thank map1e ([email protected]) for discovering this issue.

.