User Group Privilege Escalation

The vulnerability is a Cross-Site Request Forgery (CSRF) in the Image plugin of Apache JSPWiki versions before 2.11.3. The plugin does not enforce proper anti-CSRF tokens, allowing an attacker to craft a malicious request that, when executed by an authenticated user, performs unauthorized actions on behalf of that user [1][3].

To exploit this, an attacker must trick an authenticated JSPWiki user into interacting with a crafted invocation on the Image plugin. This can be achieved via social engineering, such as embedding a malicious image or link in a wiki page or email. No additional privileges are required beyond the victim's session [1][3].

Successful exploitation enables the attacker to escalate the group privileges of their own account, modify the email associated with the victim's account, and then initiate a password reset from the login page. This effectively results in full account takeover and privilege escalation within the wiki [1][3].

The Apache Software Foundation has released JSPWiki 2.11.3, which fixes the CSRF vulnerability. Users are strongly advised to upgrade to this version or later. No workarounds have been provided [3]. The issue was discovered by Huiseong Seo (t0rchwo0d) [3].