CVE-2019-10078

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
apachejspwiki
2.9.0 ≤
𝑥
≤ 2.11.0
apachejspwiki
2.11.0:m1
apachejspwiki
2.11.0:m1-rc1
apachejspwiki
2.11.0:m1-rc2
apachejspwiki
2.11.0:m1.rc3
apachejspwiki
2.11.0:m2
apachejspwiki
2.11.0:m2-rc1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jspwiki
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2019/05/19/6
http://www.securityfocus.com/bid/108437
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078
https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E
http://www.openwall.com/lists/oss-security/2019/05/19/6
http://www.securityfocus.com/bid/108437
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078
https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E
https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E