CVE-2019-0224
Description
In Apache JSPWiki 2.9.0 to 2.11.0.M2, a carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on its own browser.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted URL in Apache JSPWiki 2.9.0 to 2.11.0.M2 can execute JavaScript in a user's own browser session, a self-XSS vulnerability.
Vulnerability
Apache JSPWiki versions 2.9.0 through 2.11.0.M2 contain a cross-site scripting (XSS) vulnerability where a carefully crafted URL can execute JavaScript in the context of a user's own browser session [1][2][3]. The vulnerability lies in how the wiki processes a crafted URL, allowing script execution when the user visits the malicious link.
Exploitation
An attacker must craft a malicious URL and trick a user into clicking it. The attacker does not need authentication or special network position; the attack relies on social engineering. The JavaScript executes only in the victim's own browser session; no data is stored on the server or database [1][3].
Impact
The impact is limited to self-XSS: the attacker can execute JavaScript in their own browser, not on another user's browser. The vulnerability does not allow information to be saved on the server or database, nor does it permit cross-user scripting [1][3].
Mitigation
The vulnerability is fixed in Apache JSPWiki version 2.11.0.M3 [2][3]. Users should upgrade to this version or later. No workaround is documented in the available references.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | >= 2.9.0, < 2.11.0.M3 | 2.11.0.M3 |
Affected products
2- Apache/Apache JSPWikiv5Range: Apache JSPWiki 2.9.0 to 2.11.0.M2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-fmpq-w5q6-9vf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0224ghsaADVISORY
- www.securityfocus.com/bid/107631ghsavdb-entryx_refsource_BIDWEB
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67%40%3Cdev.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/b4b4992a93d899050c1117a07c3c7fc9a175ec0672ab97065228de67@%3Cdev.jspwiki.apache.org%3EghsaWEB
- lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/e42d6e93384d4a33e939989cd00ea2a06ccf1e7bb1e6bdd3bf5187c1@%3Ccommits.jspwiki.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.