CVE-2019-12404
Description
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki up to 2.11.0.M4 contains a cross-site scripting vulnerability in InfoContent.jsp via crafted plugin link invocation, allowing attacker to execute JavaScript in victim's browser.
Vulnerability
Overview
CVE-2019-12404 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki versions up to and including 2.11.0.M4. The flaw resides in the InfoContent.jsp page, where a carefully crafted plugin link invocation is not properly sanitized. This allows an attacker to inject malicious JavaScript code that will be executed in the context of the victim's browser session [1][2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious plugin link and tricking a victim into clicking it. The attack does not require authentication, but relies on social engineering to lure the victim to the crafted link. Once the victim clicks the link, the injected JavaScript executes within the JSPWiki application's security context [2].
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of sensitive information such as session cookies, authentication tokens, or other data accessible through the DOM. The attacker could also perform actions on behalf of the victim within the JSPWiki application, potentially leading to further compromise [1][2].
Mitigation
The Apache JSPWiki project has addressed this vulnerability in version 2.11.0.M5. Users are strongly advised to upgrade to this version or later to mitigate the risk. No workarounds have been provided for earlier versions [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | >= 2.9.0, < 2.11.0.M5 | 2.11.0.M5 |
Affected products
2- Apache/Apache JSPWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-7qmg-qg53-mrp8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12404ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.