CVE-2019-10078: XSS
First published: Mon May 20 2019(Updated: )
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache JSPWiki | >=2.9.0<=2.11.0 | |
| Apache JSPWiki | =2.11.0-m1 | |
| Apache JSPWiki | =2.11.0-m1-rc1 | |
| Apache JSPWiki | =2.11.0-m1-rc2 | |
| Apache JSPWiki | =2.11.0-m1.rc3 | |
| Apache JSPWiki | =2.11.0-m2 | |
| Apache JSPWiki | =2.11.0-m2-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2019/05/19/6
- http://www.securityfocus.com/bid/108437
- https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078
- https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9@%3Cdev.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7@%3Cdev.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3E
- https://lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2019-10078?
The severity of CVE-2019-10078 is medium.
Which versions of Apache JSPWiki are affected by CVE-2019-10078?
Apache JSPWiki versions 2.9.0 to 2.11.0.M3 are affected by CVE-2019-10078.
What is the impact of CVE-2019-10078?
CVE-2019-10078 could lead to session hijacking.
Which plugins are vulnerable to CVE-2019-10078?
Multiple plugins on Apache JSPWiki are vulnerable to CVE-2019-10078.
How can I fix CVE-2019-10078?
Upgrade Apache JSPWiki to a version later than 2.11.0.M3 to fix CVE-2019-10078.
- collector/nvd-index
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache jspwiki
- version/apache jspwiki/2.9.0
- version/apache jspwiki/2.11.0
- version/apache jspwiki/2.11.0-m1
- version/apache jspwiki/2.11.0-m1-rc1
- version/apache jspwiki/2.11.0-m1-rc2
- version/apache jspwiki/2.11.0-m1.rc3
- version/apache jspwiki/2.11.0-m2
- version/apache jspwiki/2.11.0-m2-rc1