Apache JSPWiki: Cross-site scripting vulnerability on upload page

Vulnerability

Overview Apache JSPWiki, a Java-based wiki engine, contains a cross-site scripting (XSS) vulnerability in its Upload page. The issue affects versions up to and including 2.12.1, where a carefully crafted request can inject malicious JavaScript into the page [2]. This stored XSS occurs because user-supplied content is not properly sanitized before being served to other users [3].

Attack

Vector and Prerequisites An attacker can exploit this vulnerability by uploading a specially crafted file or payload via the Upload page. The attack requires the victim to visit the affected wiki page after the malicious content is stored. No authentication is needed for the initial upload, but the victim must be a user of the wiki to have the injected script executed in their browser [3][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the JSPWiki application. This can lead to the theft of sensitive information, such as session cookies, authentication tokens, or other personal data accessible through the victim's session [1][3]. The moderate severity rating reflects the need for victim interaction but highlights the risk to confidentiality.

Mitigation

The vulnerability is fixed in Apache JSPWiki version 2.12.2. Users are strongly advised to upgrade immediately, as no workarounds have been provided. The issue was reported by sonnh from Vietnam National Cyber Security Technology Corporation and is publicly documented [4].