Refine your search
4 vulnerabilities found for Apache JSPWiki by Apache Software Foundation
CVE-2025-24854 (GCVE-0-2025-24854)
Vulnerability from nvd
Published
2025-07-31 08:43
Modified
2025-11-04 21:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request using the Image plugin could trigger an XSS
vulnerability on Apache JSPWiki, which could allow the attacker to
execute javascript in the victim's browser and get some sensitive
information about the victim.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:38:50.896375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:04.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:44.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/30/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was separately discovered by both XBOW (https://github.com/xbow-security, https://xbow.com) and Hamed Kohi \u003c0x.hamy.1ATgmailDOTcom\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\n\n\n\n\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:43:18.886Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24854",
"datePublished": "2025-07-31T08:43:18.886Z",
"dateReserved": "2025-01-25T20:04:53.948Z",
"dateUpdated": "2025-11-04T21:09:44.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24853 (GCVE-0-2025-24853)
Vulnerability from nvd
Published
2025-07-31 08:42
Modified
2025-11-04 21:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
in the victim's browser and get some sensitive information about the
victim.
Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:39:02.510980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:11.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:43.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/30/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was discovered by XBOW (https://github.com/xbow-security, https://xbow.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\u003c/p\u003e\n\u003cp\u003eFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\u003c/p\u003e\u003cp\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\n\n\nFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:42:06.453Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24853",
"datePublished": "2025-07-31T08:42:06.453Z",
"dateReserved": "2025-01-25T20:03:15.418Z",
"dateUpdated": "2025-11-04T21:09:43.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24854 (GCVE-0-2025-24854)
Vulnerability from cvelistv5
Published
2025-07-31 08:43
Modified
2025-11-04 21:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request using the Image plugin could trigger an XSS
vulnerability on Apache JSPWiki, which could allow the attacker to
execute javascript in the victim's browser and get some sensitive
information about the victim.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:38:50.896375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:04.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:44.925Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/30/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was separately discovered by both XBOW (https://github.com/xbow-security, https://xbow.com) and Hamed Kohi \u003c0x.hamy.1ATgmailDOTcom\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eA carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "A carefully crafted request using the Image plugin could trigger an XSS \nvulnerability on Apache JSPWiki, which could allow the attacker to \nexecute javascript in the victim\u0027s browser and get some sensitive \ninformation about the victim.\n\n\n\n\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:43:18.886Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24854"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Image plugin",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24854",
"datePublished": "2025-07-31T08:43:18.886Z",
"dateReserved": "2025-01-25T20:04:53.948Z",
"dateUpdated": "2025-11-04T21:09:44.925Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24853 (GCVE-0-2025-24853)
Vulnerability from cvelistv5
Published
2025-07-31 08:42
Modified
2025-11-04 21:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
in the victim's browser and get some sensitive information about the
victim.
Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.
Apache JSPWiki users should upgrade to 2.12.3 or later.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache JSPWiki |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-24853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:39:02.510980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:11.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:09:43.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/30/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.12.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "The issue was discovered by XBOW (https://github.com/xbow-security, https://xbow.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\u003c/p\u003e\n\u003cp\u003eFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\u003c/p\u003e\u003cp\u003eApache JSPWiki users should upgrade to 2.12.3 or later.\u003cbr\u003e\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "A carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim\u0027s browser and get some sensitive information about the \nvictim.\n\n\n\nFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\n\nApache JSPWiki users should upgrade to 2.12.3 or later."
}
],
"metrics": [
{
"other": {
"content": {
"text": "Medium"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T08:42:06.453Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-24853",
"datePublished": "2025-07-31T08:42:06.453Z",
"dateReserved": "2025-01-25T20:03:15.418Z",
"dateUpdated": "2025-11-04T21:09:43.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}