Uploaded image for project: 'JSPWiki'
  1. JSPWiki
  2. JSPWIKI-1093

Reflected XSS in JSPWiki v2.11.0-M1

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.10.3, 2.10.4, 2.10.5, 2.11.0-M1, 2.11.0-M2
    • 2.11.0-M3
    • Templates and UI
    • None

    Description

      ---------- Forwarded message ---------
      From: Muthukumar Marikani <muthukumar.marikani@zohocorp.com>
      Date: Fri, Mar 15, 2019 at 1:14 PM
      Subject: Reflected XSS in JSPWiki v2.11.0-M1
      To: security <security@apache.org>

      Hi,

      I have found a reflected XSS vulnerability in JSPWiki v2.11.0-M1

      [snip]

      An attacker can execute javascript in victim's browser by sending crafted url to victim

      Recommended fix :

      Encode the values which are from user end

      Product : JSPWiki
      Version : v2.11.0-M1
      Verified in : firefox 65.0.1 , MacOS 10.12.6
      Severity : Medium

      Regards,
      Muthukumar Marikani (unknown_person)
      ZOHO-CRM Security Team

      Attachments

        Activity

          People

            brushed Dirk Frederickx
            brushed Dirk Frederickx
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: