CVE-2019-10087
Description
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Apache JSPWiki's Page Revision History allows an attacker to execute arbitrary JavaScript via a crafted plugin link.
Vulnerability
Description
CVE-2019-10087 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki, affecting versions up to and including 2.11.0.M4 [1]. The flaw resides in the Page Revision History feature, where a carefully crafted plugin link invocation fails to sanitize user input properly [2]. This allows an attacker to inject malicious JavaScript into a page's revision history metadata.
Exploitation
To exploit this vulnerability, an attacker must be able to post content or create plugin links on the wiki that reference the revision history [1]. No elevated privileges beyond standard user access are strictly required, as the injected payload is triggered when any victim views the revision history page containing the malicious link. The attack does not require authentication from the victim beyond normal wiki access.
Impact
Successful exploitation results in arbitrary JavaScript execution in the victim's browser within the context of the JSPWiki application [1][2]. The attacker can then steal session cookies, capture sensitive form data, perform actions on behalf of the victim, or redirect the user to malicious sites. The impact is limited to the victim's session and data accessible through the wiki, but it can lead to further account compromise or data exfiltration.
Mitigation
The Apache Software Foundation has addressed this issue in JSPWiki version 2.11.0.M5 [2]. Users should upgrade to this or a later release immediately. No workarounds are documented for earlier versions; restricting ability to create plugin links or using Content Security Policy (CSP) headers may reduce risk but not eliminate it.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | >= 2.9.0, < 2.11.0.M5 | 2.11.0.M5 |
Affected products
2- Apache/Apache JSPWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gwfq-qwmp-x9xgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10087ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.