CVE-2019-12407
Description
On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted plugin link in Apache JSPWiki up to 2.11.0.M4 triggers XSS via the 'remember' parameter, enabling JavaScript execution and data theft.
Vulnerability
Overview
CVE-2019-12407 is a cross-site scripting (XSS) vulnerability in Apache JSPWiki, affecting versions up to 2.11.0.M4. The flaw arises due to insufficient sanitization of the 'remember' parameter in certain JSP pages. An attacker can craft a malicious plugin link invocation that, when opened by a victim, injects arbitrary JavaScript into the rendering context[1][3].
Exploitation
Vector
The attack requires the victim to interact with a specially crafted link, typically delivered via email, another website, or directly within the wiki. No authentication is needed to deliver the malicious payload; however, the victim must click the link while logged into the wiki to maximize the potential for data access. The XSS executes in the browser session's context[1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can be leveraged to steal session cookies, capture form data, or perform other malicious actions on behalf of the victim within the JSPWiki application, leading to information disclosure and potential account compromise[1][3].
Mitigation
Apache JSPWiki users should upgrade to version 2.11.0.M5 or later, which contains a fix for this issue. No workarounds have been published. The vulnerability was discovered by ADLab of VenusTech[3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-warMaven | < 2.11.0.M5 | 2.11.0.M5 |
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.0.M5 | 2.11.0.M5 |
Affected products
3- Apache/Apache JSPWikidescription
- ghsa-coords2 versions
< 2.11.0.M5+ 1 more
- (no CPE)range: < 2.11.0.M5
- (no CPE)range: < 2.11.0.M5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-p2r4-rpj8-m2p9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12407ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.