CVE-2019-10078

MEDIUM LAB

Apache JSPWiki <2.11.0.M3 - XSS

Title source: llm

Description

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.

Exploits (2)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2-11-0-M3

View Code ZIP pw:eip

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2_11_0_M4_fixed

View Code ZIP pw:eip

References (6)

[Vendor Advisory] https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/108437

[Mailing List] http://www.openwall.com/lists/oss-security/2019/05/19/6

[Mailing List] https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E

Scores

CVSS v3 6.1

EPSS 0.0305

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Lab Environment

COMMUNITY

Community Lab

docker pull tomcat:9.0

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2-11-0-M3

https://github.com/shoucheng3/apache__jspwiki_CVE-2019-10078_2_11_0_M4_fixed

View in Library

Details

CWE

CWE-79

Status published

Products (4)

apache/jspwiki 2.11.0 m1 (6 CPE variants)

apache/jspwiki 2.9.0 - 2.11.0

org.apache.jspwiki/jspwiki-main 2.9.0 - 2.11.0.M4Maven

org.apache.jspwiki/jspwiki-war 2.9.0 - 2.11.0.M4Maven

Published May 20, 2019

Tracked Since Feb 18, 2026