CVE-2019-10077
Description
A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki versions 2.9.0 to 2.11.0.M3 are vulnerable to stored XSS via crafted InterWiki links, enabling session hijacking.
Vulnerability
Analysis
CVE-2019-10077 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki affecting versions 2.9.0 through 2.11.0.M3. The root cause lies in insufficient sanitization of InterWiki links, which allow wiki pages to reference external sites using a special syntax. An attacker can craft a malicious InterWiki link containing JavaScript code that, when rendered by the wiki engine, executes in the context of the viewer's browser [1].
Exploitation
The attack surface is the wiki page editing functionality—any user with the ability to create or edit wiki pages can inject the malicious link. The vulnerability does not require authentication beyond standard wiki editing permissions. The crafted link is stored in the page content, meaning the XSS payload triggers whenever any user—including administrators—views the affected page. No social engineering beyond enticing a user to load the compromised page is needed [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's session. The most direct consequence is session hijacking: the attacker can steal session cookies or perform actions on behalf of the victim, potentially gaining administrative privileges if the victim is an administrator. This can lead to full wiki compromise, data theft, and further lateral movement within the hosting environment [1].
Mitigation
The Apache Software Foundation released version 2.11.0.M4, which patches the vulnerability by properly escaping InterWiki link output. All users running affected versions are advised to upgrade immediately. No known workarounds exist other than upgrading. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing, but it is a publicly documented, easily weaponizable issue [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | >= 2.9.0, < 2.11.0.M4 | 2.11.0.M4 |
org.apache.jspwiki:jspwiki-mainMaven | >= 2.9.0, < 2.11.0.M4 | 2.11.0.M4 |
Affected products
3- ghsa-coords2 versions
>= 2.9.0, < 2.11.0.M4+ 1 more
- (no CPE)range: >= 2.9.0, < 2.11.0.M4
- (no CPE)range: >= 2.9.0, < 2.11.0.M4
- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki 2.9.0 to 2.11.0.M3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-cj6j-32rg-45r2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10077ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/05/19/5mitremailing-listx_refsource_MLIST
- www.securityfocus.com/bid/108437mitrevdb-entryx_refsource_BID
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.