CVE-2019-10078

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

3.2%

top 13.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Jspwiki Apache Software Foundation Apache Jspwiki

Timeline

PublishedMay 20

Latest updateJun 6

Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Mavenorg.apache.jspwiki:jspwiki-war2.9.0 — 2.11.0.M4

▶Mavenorg.apache.jspwiki:jspwiki-main2.9.0 — 2.11.0.M4

▶NVDapache/jspwiki2.9.0 — 2.11.0+1

▶CVEListV5apache_software_foundation/apache_jspwikiApache JSPWiki 2.9.0 to 2.11.0.M3

🔴Vulnerability Details

GHSA

Cross-site Scriptin in JSPWiki↗2019-06-06

▶

OSV

Cross-site Scriptin in JSPWiki↗2019-06-06

▶

CVEList

CVE-2019-10078: A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2↗2019-05-20

▶