CVE-2025-24853

HIGH

Apache JSPWiki < 2.12.3 - Stored Cross-Site Scripting via Wiki Markup Header Link

Title source: llm

Description

A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2025/07/30/2

Vendor Advisory vendor-advisory

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853

Scores

CVSS v3 7.5

EPSS 0.0035

EPSS Percentile 57.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

apache/jspwiki < 2.12.3

org.apache.jspwiki/jspwiki-main 0 - 2.12.3Maven

org.apache.jspwiki/jspwiki-markdown 0 - 2.12.3Maven

Published Jul 31, 2025

Tracked Since Feb 18, 2026