Cross-site Scripting (XSS)

Affecting org.apache.jspwiki:jspwiki-war artifact, versions [2.9.0,2.11.0.M5)

Do your applications use this vulnerable package? Test your applications

Overview

org.apache.jspwiki:jspwiki-war is a open source WikiWiki engine, feature-rich and built around standard JEE components (Java, servlets, JSP).

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.

Remediation

Upgrade org.apache.jspwiki:jspwiki-war to version 2.11.0.M5 or higher.

References

CVSS Score

4.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Credit
Jegatheesh A, ZOHO-CRM Security team
CVE
CVE-2019-10087
CWE
CWE-79
Snyk ID
SNYK-JAVA-ORGAPACHEJSPWIKI-536064
Disclosed
11 Oct, 2019
Published
26 Nov, 2019