CVE-2019-10089
Description
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki up to 2.11.0.M4 has a stored XSS vulnerability in the WYSIWYG editor via crafted plugin link invocation, allowing attacker to execute JavaScript.
Vulnerability
Overview
CVE-2019-10089 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki, affecting versions up to and including 2.11.0.M4. The flaw resides in the WYSIWYG editor, where a carefully crafted plugin link invocation is not properly sanitized, allowing an attacker to inject malicious JavaScript code [1][2].
Exploitation
An attacker with the ability to create or edit wiki pages can embed a malicious plugin link. When a victim views the page, the crafted link triggers the XSS payload in the context of the victim's browser. The vulnerability does not require authentication beyond the ability to modify content, making it exploitable by any user with page editing privileges [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of sensitive information, such as session cookies or authentication tokens, and potentially enable further attacks like session hijacking or defacement [1][2].
Mitigation
The Apache JSPWiki project has addressed this vulnerability in version 2.11.0.M5. Users are strongly advised to upgrade to this version or later to eliminate the risk. No workarounds are documented [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | >= 2.9.0, < 2.11.0.M5 | 2.11.0.M5 |
Affected products
2- Apache/Apache JSPWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3rx2-x6mx-grj3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10089ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.