CVE-2019-10076
Description
A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki 2.9.0 to 2.11.0.M3 is vulnerable to XSS via malicious attachments, enabling session hijacking.
Vulnerability
CVE-2019-10076 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki versions 2.9.0 through 2.11.0.M3. The flaw arises from insufficient sanitization of uploaded file attachments; a carefully crafted malicious attachment can inject arbitrary JavaScript into the wiki page context [1].
Exploitation
An attacker can exploit this by uploading a specially crafted attachment to the wiki. When a user views the attachment or interacts with it, the injected script executes in the user's browser session. No authentication except for upload capability is required, and the attack does not require any specific network position [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to session hijacking, theft of sensitive information, or defacement of the wiki [1][2].
Mitigation
The Apache JSPWiki project has addressed this vulnerability in version 2.11.0.M4 and later. Users are advised to upgrade immediately [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | >= 2.9.0, < 2.11.0.M4 | 2.11.0.M4 |
org.apache.jspwiki:jspwiki-mainMaven | >= 2.9.0, < 2.11.0.M4 | 2.11.0.M4 |
Affected products
3- ghsa-coords2 versions
>= 2.9.0, < 2.11.0.M4+ 1 more
- (no CPE)range: >= 2.9.0, < 2.11.0.M4
- (no CPE)range: >= 2.9.0, < 2.11.0.M4
- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki 2.9.0 to 2.11.0.M3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-cxx2-fp39-rf3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10076ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/05/19/4ghsamailing-listx_refsource_MLISTWEB
- www.securityfocus.com/bid/108437ghsavdb-entryx_refsource_BIDWEB
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16@%3Ccommits.jspwiki.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.