Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen
Description
A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) in Apache JSPWiki user preferences screen allows attackers to execute JavaScript and steal sensitive information.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the user preferences screen of Apache JSPWiki versions up to 2.11.1 [1][2]. The flaw is triggered by a carefully crafted user preferences submission, which allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser session [2].
Exploitation
The attacker needs to be able to submit crafted user preferences to the server. This could be achieved by tricking an authenticated user (e.g., an admin) to visit a malicious link or by exploiting other mechanisms to submit the payload. Once the victim views the injected content on the user preferences screen, the attacker-supplied JavaScript executes in the victim's browser [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser on the affected Apache JSPWiki instance. This can lead to theft of sensitive information, such as session cookies or authentication tokens, which could be used to impersonate the victim or access other protected resources [1][2].
Mitigation
Users should upgrade to Apache JSPWiki version 2.11.2 or later, which contains the fix for this vulnerability [1][2]. No workarounds are mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.2 | 2.11.2 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki up to 2.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-9953-fmrw-v4vmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24948ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/02/25/2ghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3bghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.