On Wed, Aug 3, 2022 at 10:46 PM Juan Pablo Santos Rodríguez <juanpa...@apache.org> wrote: > > Severity: critical > > Description: > > A carefully crafted request on UserPreferences.jsp could trigger an CSRF > vulnerability on Apache JSPWiki, which could allow the attacker to modify the > email associated with the attacked account, and then a reset password request > from the login page. > > Mitigation: > > Apache JSPWiki users should upgrade to 2.11.3 or later. Installations >= > 2.7.0 can also enable user management workflows' manual approval to mitigate > the issue. > > Credit: > > This issue was discovered by Fabrice Perez, <fabioperez AT gmail DOT com> > > References: > > https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732 >
