CVE-2019-0224: XSS
First published: Thu Mar 28 2019(Updated: )
In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache JSPWiki | >=2.9.0<=2.10.5 | |
| Apache JSPWiki | =2.11.0-milestone1 | |
| Apache JSPWiki | =2.11.0-milestone1-rc1 | |
| Apache JSPWiki | =2.11.0-milestone1-rc2 | |
| Apache JSPWiki | =2.11.0-milestone1-rc3 | |
| Apache JSPWiki | =2.11.0-milestone2 | |
| Apache JSPWiki | =2.11.0-milestone2-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/107631
- https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-0224
- https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67@%3Cdev.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E
Frequently Asked Questions
What is the impact of CVE-2019-0224?
A carefully crafted URL could execute JavaScript on another user's session.
Can an attacker save information on the server or jspwiki database with CVE-2019-0224?
No, an attacker cannot save any information on the server or the JSPWiki database.
Is it possible to execute JavaScript on someone else's browser with CVE-2019-0224?
No, the vulnerability only allows executing JavaScript on the attacker's browser.
Which versions of Apache JSPWiki are affected by CVE-2019-0224?
Versions 2.9.0 to 2.11.0.M2 are affected.
How severe is the CVE-2019-0224 vulnerability?
The vulnerability has a severity rating of 6.1 (medium).
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/type
- agent/description
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/remedy
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache jspwiki
- version/apache jspwiki/2.9.0
- version/apache jspwiki/2.10.5
- version/apache jspwiki/2.11.0-milestone1
- version/apache jspwiki/2.11.0-milestone1-rc1
- version/apache jspwiki/2.11.0-milestone1-rc2
- version/apache jspwiki/2.11.0-milestone1-rc3
- version/apache jspwiki/2.11.0-milestone2
- version/apache jspwiki/2.11.0-milestone2-rc1