cvelistv5 - cve-2022-24948

CVE-2022-24948 (GCVE-0-2022-24948)

Vulnerability from cvelistv5 – Published: 2022-02-25 08:30 – Updated: 2024-08-03 04:29

Summary

A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.

Severity ?

No CVSS data available.

CWE

Cross-site scripting vulnerability on User Preferences screen

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/86p0yzopc4mw2h5bk…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2022/02/25/2	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache JSPWiki	Affected: Apache JSPWiki up to 2.11.1

Credits

This issue was discovered by Paulos Yibelo, from Octagon Networks.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:29:01.128Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
          },
          {
            "name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache JSPWiki",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache JSPWiki up to 2.11.1 "
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Paulos Yibelo, from Octagon Networks. "
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cross-site scripting vulnerability on User Preferences screen",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-02-25T15:06:11",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
        },
        {
          "name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24948",
          "STATE": "PUBLIC",
          "TITLE": "Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache JSPWiki",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache JSPWiki up to 2.11.1 "
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was discovered by Paulos Yibelo, from Octagon Networks. "
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cross-site scripting vulnerability on User Preferences screen"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
            },
            {
              "name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-24948",
    "datePublished": "2022-02-25T08:30:19",
    "dateReserved": "2022-02-10T00:00:00",
    "dateUpdated": "2024-08-03T04:29:01.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.11.2\", \"matchCriteriaId\": \"300AE80B-D0D2-43AA-973A-2589F59C796D\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.\"}, {\"lang\": \"es\", \"value\": \"Un env\\u00edo de preferencias de usuario cuidadosamente dise\\u00f1ado podr\\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con la pantalla de preferencias de usuario, que podr\\u00eda permitir al atacante ejecutar javascript en el navegador de la v\\u00edctima y conseguir alguna informaci\\u00f3n confidencial sobre la misma. Los usuarios de Apache JSPWiki deber\\u00edan actualizar a versi\\u00f3n 2.11.2 o posterior.\\n\"}]",
      "id": "CVE-2022-24948",
      "lastModified": "2024-11-21T06:51:26.440",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2022-02-25T09:15:07.047",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/25/2\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/02/25/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-24948\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-02-25T09:15:07.047\",\"lastModified\":\"2024-11-21T06:51:26.440\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.\"},{\"lang\":\"es\",\"value\":\"Un env\u00edo de preferencias de usuario cuidadosamente dise\u00f1ado podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con la pantalla de preferencias de usuario, que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir alguna informaci\u00f3n confidencial sobre la misma. Los usuarios de Apache JSPWiki deber\u00edan actualizar a versi\u00f3n 2.11.2 o posterior.\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.2\",\"matchCriteriaId\":\"300AE80B-D0D2-43AA-973A-2589F59C796D\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/02/25/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/02/25/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2022-17019

Vulnerability from cnvd - Published: 2022-03-06

Title

Apache JSPWiki跨站脚本漏洞（CNVD-2022-17019）

Description

JSPWiki是一款由Apache推出的开源的基于JSP的Wiki系统,基于文件系统,具有权限管理和搜索功能。 Apache JSPWiki 2.11.2之前版本在用户首选项屏幕中存在跨站脚本漏洞。攻击者可利用该漏洞在受害用户的浏览器中执行javascript，并获取敏感信息。

Severity

中

Patch Name

Apache JSPWiki跨站脚本漏洞（CNVD-2022-17019）的补丁

Patch Description

JSPWiki是一款由Apache推出的开源的基于JSP的Wiki系统,基于文件系统,具有权限管理和搜索功能。 Apache JSPWiki 2.11.2之前版本在用户首选项屏幕中存在跨站脚本漏洞。攻击者可利用该漏洞在受害用户的浏览器中执行javascript，并获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-24948

Impacted products

Name
Apache JSPWiki <2.11.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-24948",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-24948"
    }
  },
  "description": "JSPWiki\u662f\u4e00\u6b3e\u7531Apache\u63a8\u51fa\u7684\u5f00\u6e90\u7684\u57fa\u4e8eJSP\u7684Wiki\u7cfb\u7edf,\u57fa\u4e8e\u6587\u4ef6\u7cfb\u7edf,\u5177\u6709\u6743\u9650\u7ba1\u7406\u548c\u641c\u7d22\u529f\u80fd\u3002\n\nApache JSPWiki 2.11.2\u4e4b\u524d\u7248\u672c\u5728\u7528\u6237\u9996\u9009\u9879\u5c4f\u5e55\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5bb3\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884cjavascript\uff0c\u5e76\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-17019",
  "openTime": "2022-03-06",
  "patchDescription": "JSPWiki\u662f\u4e00\u6b3e\u7531Apache\u63a8\u51fa\u7684\u5f00\u6e90\u7684\u57fa\u4e8eJSP\u7684Wiki\u7cfb\u7edf,\u57fa\u4e8e\u6587\u4ef6\u7cfb\u7edf,\u5177\u6709\u6743\u9650\u7ba1\u7406\u548c\u641c\u7d22\u529f\u80fd\u3002\r\n\r\nApache JSPWiki 2.11.2\u4e4b\u524d\u7248\u672c\u5728\u7528\u6237\u9996\u9009\u9879\u5c4f\u5e55\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5bb3\u7528\u6237\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884cjavascript\uff0c\u5e76\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache JSPWiki\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-17019\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache JSPWiki \u003c2.11.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-24948",
  "serverity": "\u4e2d",
  "submitTime": "2022-03-01",
  "title": "Apache JSPWiki\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-17019\uff09"
}

GSD-2022-24948

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-24948

Aliases

CVE-2022-24948

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-24948",
    "description": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.",
    "id": "GSD-2022-24948"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-24948"
      ],
      "details": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.",
      "id": "GSD-2022-24948",
      "modified": "2023-12-13T01:19:42.982848Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2022-24948",
        "STATE": "PUBLIC",
        "TITLE": "Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache JSPWiki",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Apache JSPWiki up to 2.11.1 "
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "This issue was discovered by Paulos Yibelo, from Octagon Networks. "
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {}
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Cross-site scripting vulnerability on User Preferences screen"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
          },
          {
            "name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.11.2)",
          "affected_versions": "All versions before 2.11.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-03-04",
          "description": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.",
          "fixed_versions": [
            "2.11.2"
          ],
          "identifier": "CVE-2022-24948",
          "identifiers": [
            "CVE-2022-24948",
            "GHSA-9953-fmrw-v4vm"
          ],
          "not_impacted": "All versions starting from 2.11.2",
          "package_slug": "maven/org.apache.jspwiki/jspwiki-main",
          "pubdate": "2022-02-25",
          "solution": "Upgrade to version 2.11.2 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-24948",
            "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
            "http://www.openwall.com/lists/oss-security/2022/02/25/2",
            "https://github.com/advisories/GHSA-9953-fmrw-v4vm"
          ],
          "uuid": "2ebc3027-446d-46be-b4f4-a093ae5361d4"
        },
        {
          "affected_range": "(,2.11.2)",
          "affected_versions": "All versions before 2.11.2",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2022-03-04",
          "description": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.",
          "fixed_versions": [
            "2.11.2"
          ],
          "identifier": "CVE-2022-24948",
          "identifiers": [
            "CVE-2022-24948"
          ],
          "not_impacted": "All versions starting from 2.11.2",
          "package_slug": "maven/org.apache.jspwiki/jspwiki-war",
          "pubdate": "2022-02-25",
          "solution": "Upgrade to version 2.11.2 or above.",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-24948",
            "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
            "http://www.openwall.com/lists/oss-security/2022/02/25/2"
          ],
          "uuid": "7f9546b3-6411-4235-8dcd-27aedb2b4e6d"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.11.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2022-24948"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
            },
            {
              "name": "[oss-security] 20220225 [CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-03-04T01:49Z",
      "publishedDate": "2022-02-25T09:15Z"
    }
  }
}

FKIE_CVE-2022-24948

Vulnerability from fkie_nvd - Published: 2022-02-25 09:15 - Updated: 2024-11-21 06:51

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2022/02/25/2	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/02/25/2	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	jspwiki	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "300AE80B-D0D2-43AA-973A-2589F59C796D",
              "versionEndExcluding": "2.11.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later."
    },
    {
      "lang": "es",
      "value": "Un env\u00edo de preferencias de usuario cuidadosamente dise\u00f1ado podr\u00eda desencadenar una vulnerabilidad de tipo XSS en Apache JSPWiki, relacionada con la pantalla de preferencias de usuario, que podr\u00eda permitir al atacante ejecutar javascript en el navegador de la v\u00edctima y conseguir alguna informaci\u00f3n confidencial sobre la misma. Los usuarios de Apache JSPWiki deber\u00edan actualizar a versi\u00f3n 2.11.2 o posterior.\n"
    }
  ],
  "id": "CVE-2022-24948",
  "lastModified": "2024-11-21T06:51:26.440",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-02-25T09:15:07.047",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-9953-FMRW-V4VM

Vulnerability from github – Published: 2022-02-26 00:00 – Updated: 2022-03-07 13:41

Summary

Cross-site Scripting in Apache JSPWiki

Details

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.jspwiki:jspwiki-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-01T19:43:13Z",
    "nvd_published_at": "2022-02-25T09:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.2 or later.",
  "id": "GHSA-9953-fmrw-v4vm",
  "modified": "2022-03-07T13:41:54Z",
  "published": "2022-02-26T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24948"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/86p0yzopc4mw2h5bkwpt927b2c8tfq3b"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/02/25/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting in Apache JSPWiki"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-24948 (GCVE-0-2022-24948)

CNVD-2022-17019

GSD-2022-24948

FKIE_CVE-2022-24948

GHSA-9953-FMRW-V4VM

Tags

Sightings

Nomenclature