Apache JSPWiki CSRF Account Takeover
Description
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Apache JSPWiki users should upgrade to 2.11.2 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, allowing account takeover.
Vulnerability
A cross-site request forgery (CSRF) vulnerability exists in the Apache JSPWiki user preferences form. An attacker can trick an authenticated user into submitting a crafted request, modifying the victim's account settings. This affects Apache JSPWiki versions up to and including 2.11.1 [1][2].
Exploitation
The attacker must craft a malicious web page or link that triggers a state-changing request to the JSPWiki user preferences endpoint. The victim must be authenticated to the JSPWiki instance and visit the attacker's page while having an active session [1][2].
Impact
A successful CSRF attack can lead to account takeover. The attacker can change arbitrary preferences, including the user's password or other account settings, thereby gaining full control of the victim's account [1][2].
Mitigation
Users should upgrade to Apache JSPWiki 2.11.2 or later. Additionally, installations running version 2.7.0 or later can enable manual approval for user management workflows as a partial workaround [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.2 | 2.11.2 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki up to 2.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-4284-x26r-4hhcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24947ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/02/25/1ghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread/txrgykjkpt80t57kzpbjo8kfrv8ss02cghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.