XSS vulnerability on Denounce plugin
Description
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted plugin link in Apache JSPWiki's Denounce plugin allows XSS, leading to JavaScript execution and sensitive data theft. Upgrade to 2.11.0+.
Vulnerability
A carefully crafted plugin link invocation in Apache JSPWiki’s Denounce plugin triggers a Cross-Site Scripting (XSS) vulnerability [1][4]. The Denounce plugin dangerously renders user-supplied URLs without proper sanitization. This affects Apache JSPWiki up to version 2.11.0.M8 [4].
Exploitation
An attacker can craft a malicious plugin link that, when invoked by a victim, executes arbitrary JavaScript in the victim’s browser. No special privileges are required beyond the ability to create or inject a plugin link within a wiki page that the victim views [1][4]. The attacker does not need to be authenticated if the target wiki allows public editing or if the link can be delivered via other means (e.g., email).
Impact
Successful exploitation allows the attacker to execute JavaScript in the victim’s browser, enabling theft of sensitive information such as session tokens, credentials, or personal data [1][4]. The impact is limited to the victim’s browser session and the data accessible within the wiki application context.
Mitigation
Users should upgrade to Apache JSPWiki version 2.11.0 or later [1][4]. No known workarounds are documented. The vulnerability was publicly disclosed in November 2021. Later analysis (CVE-2022-28730) suggested the initial patch was incomplete, but that issue is tracked separately and requires upgrading to 2.11.3 or later [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.0 | 2.11.0 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-cfqj-9g2g-w7q6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-40369ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/08/03/3ghsamailing-listx_refsource_MLISTWEB
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
- lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfhghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.