Apache JSPWiki CSRF in UserPreferences.jsp
Description
A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Apache JSPWiki UserPreferences.jsp allows an attacker to change the victim's email and initiate a password reset.
Root
Cause
Apache JSPWiki versions prior to 2.11.3 lack proper Cross-Site Request Forgery (CSRF) protections on the UserPreferences.jsp page. An attacker can craft a malicious request that, when executed by an authenticated user, modifies the email address associated with the victim's account [1].
Exploitation
To exploit this vulnerability, the attacker must trick a logged-in JSPWiki user into visiting a specially crafted page or link that submits a request to UserPreferences.jsp. No additional authentication is required beyond the victim's active session. The crafted request changes the email address on the account, after which the attacker can use the password reset feature on the login page to gain control of the account [1].
Impact
Successful exploitation allows the attacker to take over the victim's account by resetting the password via the modified email. This can lead to unauthorized access to wiki content, modification of pages, and potential further compromise depending on the user's privileges.
Mitigation
The vulnerability is fixed in Apache JSPWiki version 2.11.3 and later. Users are strongly advised to upgrade to the latest version to mitigate this and other security issues [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jspwiki:jspwiki-mainMaven | < 2.11.3 | 2.11.3 |
Affected products
2- Apache Software Foundation/Apache JSPWikiv5Range: Apache JSPWiki
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-9x9j-vrhj-v364ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28731ghsaADVISORY
- jspwiki-wiki.apache.org/Wiki.jspghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.