GHSA-ggjq-8c4c-68r5

Suggest an improvement
Source
https://github.com/advisories/GHSA-ggjq-8c4c-68r5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-ggjq-8c4c-68r5/GHSA-ggjq-8c4c-68r5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-ggjq-8c4c-68r5
Aliases
Published
2022-08-05T00:00:30Z
Modified
2023-11-01T04:58:37.458113Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Apache JSPWiki XSS due to incomplete patch for CVE-2021-40369
Details

A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.

Database specific
{
    "nvd_published_at": "2022-08-04T07:15:00Z",
    "github_reviewed_at": "2022-08-11T15:46:48Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Maven / org.apache.jspwiki:jspwiki-main

Package

Name
org.apache.jspwiki:jspwiki-main
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jspwiki/jspwiki-main

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.3

Affected versions

2.*

2.11.0.M1
2.11.0.M2
2.11.0.M3
2.11.0.M4
2.11.0.M5
2.11.0.M6
2.11.0.M7
2.11.0.M8
2.11.0
2.11.1
2.11.2