CVE-2019-10078

MEDIUM LAB

Apache JSPWiki 2.9.0-2.11.0.M3 - Cross-Site Scripting via Plugin Link Invocation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-10078. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains the Apache JSPWiki source code with patches and updates, including references to CVE-2019-10078. It does not include a functional exploit but provides technical details about the vulnerability and its fixes.

Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Exploits (2)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2-11-0-M3

View Code ZIP pw:eip

This repository contains the Apache JSPWiki source code with patches and updates, including references to CVE-2019-10078. It does not include a functional exploit but provides technical details about the vulnerability and its fixes.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Apache JSPWiki

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2_11_0_M4_fixed

View Code ZIP pw:eip

This repository contains the source code for Apache JSPWiki 2.11, including integration tests and documentation. It does not include an exploit PoC but provides the fixed version of the software, which can be analyzed to understand the vulnerability and patch.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Apache JSPWiki 2.11.0.M4

No auth needed

Prerequisites: Access to the vulnerable JSPWiki instance

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6

Core References

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2019/05/19/6

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

Vendor Advisory x_refsource_confirm

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108437

Scores

CVSS v3 6.1

EPSS 0.0305

EPSS Percentile 87.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull tomcat:9.0

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2-11-0-M3

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2_11_0_M4_fixed

View in Library

Details

CWE

CWE-79

Status published

Products (4)

apache/jspwiki 2.11.0 m1 (6 CPE variants)

apache/jspwiki 2.9.0 - 2.11.0

org.apache.jspwiki/jspwiki-main 2.9.0 - 2.11.0.M4Maven

org.apache.jspwiki/jspwiki-war 2.9.0 - 2.11.0.M4Maven

Published May 20, 2019

Tracked Since Feb 18, 2026