Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image plugin

Vulnerability

Overview CVE-2025-24854 is a cross-site scripting (XSS) flaw in Apache JSPWiki, affecting versions up to 2.12.2 [1][3][4]. The vulnerability resides in the Image plugin, where a carefully crafted request can inject malicious JavaScript [1][3]. This occurs because user input is not properly sanitized or validated before being rendered in the browser [1][3][4].

Exploitation

Method An attacker can exploit this by sending a specially crafted request that includes malicious script content via the Image plugin [1][3]. The attack requires no special privileges—any user with the ability to insert images or trigger the plugin's endpoint could potentially be exploited [3][4]. The injected script executes in the context of the victim's browser session, making it a classic stored or reflected XSS attack [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to extraction of sensitive information such as session cookies, authentication tokens, or other personal data [1][3][4]. This could result in account takeover, data leakage, or privilege escalation within the JSPWiki application [1][3][4].

Mitigation

Apache JSPWiki users should immediately upgrade to version 2.12.3 or later, which contains the fix for this vulnerability [1][4]. No workarounds have been provided, and the vendor recommends updating as the sole mitigation [3][4]. The vulnerability was independently discovered by XBOW and Hamed Kohi [3][4].