CVE-2019-10090

Vulnerability

Overview

CVE-2019-10090 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki versions up to 2.11.0.M4. The flaw resides in the 'plain editor' component, where a carefully crafted plugin link invocation can be used to inject arbitrary JavaScript code [1][2]. The root cause is insufficient sanitization of user-supplied input within the plugin link functionality, enabling an attacker to break out of the intended HTML context.

Exploitation

Scenario

An attacker who can create or edit wiki content—typically an authenticated user with appropriate permissions—can embed a malicious plugin link within a page. No additional authentication or network access is required beyond standard wiki editing capabilities. When other users view the crafted page, the injected payload executes in their browser within the session's security context of the JSPWiki application [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal sensitive information such as session cookies, page content, or authentication tokens, and to perform actions on behalf of the victim within the wiki. The vulnerability is rated as Medium severity, reflecting the need for authenticated access yet the potential for data compromise [1][2].

Mitigation

The Apache JSPWiki project has released version 2.11.0.M5, which fixes this vulnerability. Users are strongly advised to upgrade to this version or later. No workarounds have been documented for unpatched installations [2].