CVE-2019-0224

MEDIUM

Apache JSPWiki 2.9.0-2.11.0.M2 - Cross-Site Scripting via Crafted URL

Title source: llm

Description

In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.

References (5)

Core 5

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E

Vendor Advisory x_refsource_confirm

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/107631

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

Scores

CVSS v3 6.1

EPSS 0.0241

EPSS Percentile 85.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

apache/jspwiki 2.11.0 milestone1 (6 CPE variants)

apache/jspwiki 2.9.0 - 2.10.5

org.apache.jspwiki/jspwiki-main 2.9.0 - 2.11.0.M3Maven

Published Mar 28, 2019

Tracked Since Feb 18, 2026