Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp
Description
A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting vulnerability in Apache JSPWiki's AJAXPreview.jsp allows attackers to execute JavaScript and steal sensitive information by exploiting an incomplete patch for CVE-2021-40369 via the Denounce plugin.
Root
Cause A cross-site scripting (XSS) vulnerability exists in Apache JSPWiki's AJAXPreview.jsp page. The flaw is due to an incomplete patch for CVE-2021-40369, which addressed a similar issue in the Denounce plugin. It was discovered that the patch did not fully mitigate the risk, and malicious input could still be injected via the Denounce plugin [1].
Exploitation
An attacker can craft a carefully prepared request sent to AJAXPreview.jsp. When a victim visits a specially crafted URL or interacts with the malicious request, the attacker's JavaScript is executed in the victim's browser. No special privileges are required; the attacker only needs to lure the victim to the malicious resource [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to the theft of sensitive information, such as session cookies or other personal data, and perform actions on behalf of the victim within the wiki application [1].
Mitigation
Users of Apache JSPWiki should upgrade to version 2.11.3 or later, which contains the complete fix for this vulnerability [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.3 | 2.11.3 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-ggjq-8c4c-68r5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28730ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.