CVE-2019-10078
Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki 2.9.0 to 2.11.0.M3, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki 2.9.0 to 2.11.0.M3 suffers from a cross-site scripting vulnerability in multiple plugins, leading to potential session hijacking via crafted plugin links.
Vulnerability
Overview
The vulnerability identified as CVE-2019-10078 affects Apache JSPWiki versions 2.9.0 through 2.11.0.M3. It is a cross-site scripting (XSS) flaw that arises when a specially crafted plugin link invocation is processed. While initial reporting indicated only the ReferredPagesPlugin was vulnerable, further analysis revealed that multiple plugins share this weakness [1][2].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by enticing a user to click a maliciously crafted link that invokes a vulnerable plugin. No authentication is required beyond the user having an active session on the affected JSPWiki instance. The attack surface is broad given the number of plugins involved, and the vector is client-side, relying on user interaction [1][2].
Impact
Successful exploitation allows an attacker to inject arbitrary JavaScript into the context of the victim's browser. This can lead to session hijacking, enabling the attacker to perform actions as the authenticated user, access sensitive data, or deface the wiki content [1][2].
Mitigation
The Apache Software Foundation has released version 2.11.0.M4, which addresses the vulnerability. Users are strongly advised to upgrade to this version or later to mitigate the risk [2]. No workarounds have been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | >= 2.9.0, < 2.11.0.M4 | 2.11.0.M4 |
org.apache.jspwiki:jspwiki-mainMaven | >= 2.9.0, < 2.11.0.M4 | 2.11.0.M4 |
Affected products
3- ghsa-coords2 versions
>= 2.9.0, < 2.11.0.M4+ 1 more
- (no CPE)range: >= 2.9.0, < 2.11.0.M4
- (no CPE)range: >= 2.9.0, < 2.11.0.M4
- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki 2.9.0 to 2.11.0.M3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-hp5r-mhgp-56c9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10078ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/05/19/6mitremailing-listx_refsource_MLIST
- www.securityfocus.com/bid/108437mitrevdb-entryx_refsource_BID
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/24f324ef11e43ba89ec9aac3725a5ecd4289835639c476299e7660d9%40%3Cdev.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/959811b776e1a332a1a4295405b683fd64190d079a7c3028f1c314d7%40%3Cdev.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/aac253cfc33c0429b528e2fcbe82d3a42d742083c528f58d192dfd16%40%3Ccommits.jspwiki.apache.org%3Emitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.