On 20/5/19 1:59 am, Juan Pablo Santos Rodríguez wrote:
Severity
Medium
Vendor
The Apache Software Foundation
Versions Affected
Apache JSPWiki up to 2.11.0.M3
Description
A carefully crafted plugin link invocation could trigger an XSS
vulnerability on Apache JSPWiki, which could lead to session hijacking.
Initial reporting indicated ReferredPagesPlugin, but further analysis
showed that multiple plugins were vulnerable.
Mitigation
Apache JSPWiki users should upgrade to 2.11.0.M4 or later.
Credit
This issue was discovered RunningSnail.
ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078
Hi Juan Pablo,
I am slowly upgrading my PhotoCollectionPlugin to work under the current
JSPWiki. Ironically, you keep moving the "goalposts" faster than I can
"kick the ball"!
I followed the announcement links, but they are circular and not very
helpful. Obviously there should be a reluctance to assist potential
exploiters target vulnerable wikis (I have two).
To save me spending precious time trawling the source code changes, is
it possible for you to answer my rather simple but important question:-
Was the vulnerability found in the plugin invocation framework, or a
result of developers like me cut-n-pasting an existing plugin when
creating their new one?
In other words, will my upgraded plugin be automatically protected, or
should I examine my old and stable logic for this vulnerability?
I hope this question can be answered quickly - I realise you have been
very busy lately and must be looking forward to a well-earned rest.
Best wishes,
Brian
