CVE-2018-20242
Description
A carefully crafted URL could trigger an XSS vulnerability on Apache JSPWiki, from versions up to 2.10.5, which could lead to session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted URL causes cross-site scripting in Apache JSPWiki up to 2.10.5, potentially allowing session hijacking.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Apache JSPWiki versions up to and including 2.10.5 [1][2]. The flaw is triggered by a specially crafted URL, which injects malicious script into the page output [1]. No special configuration is required; the vulnerable code path is reachable when the server processes a crafted request [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a crafted URL to a victim, either directly or via a malicious link. The victim must visit the crafted URL while authenticated (or with an active session) to a JSPWiki instance. No additional privileges or network position beyond standard web access are needed [1]. The script executes in the context of the victim's browser session, allowing theft of session cookies or execution of arbitrary actions on behalf of the victim [1][2].
Impact
Successful exploitation leads to reflected XSS, enabling the attacker to hijack the victim's session. This compromises the confidentiality and integrity of the JSPWiki instance, as the attacker can impersonate the victim, access sensitive data, or perform actions as the victim [1][2]. The scope of compromise is limited to the victim's session within the JSPWiki application.
Mitigation
The vulnerability is fixed in Apache JSPWiki version 2.11.0.M1 [2]. Users should upgrade to this version or later. No workaround is documented. JSPWiki versions prior to 2.10.5 are affected [1][2]. There is no indication this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | < 2.11.0.M1 | 2.11.0.M1 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: prior to 2.10.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-5q75-cxcq-wr26ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20242ghsaADVISORY
- www.securityfocus.com/bid/106804ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4%40%3Cuser.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/8ee4644432c0a433c5c514a57d940cf6dcb0a0094acd97b36290f0b4@%3Cuser.jspwiki.apache.org%3EghsaWEB
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3EghsaWEB
- lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.