CVE-2022-28730

2022-08-0407:15:07

CWE-79

apache

web.nvd.nist.gov

cve-2022-28730

ajaxpreview.jsp

xss vulnerability

apache jspwiki

cve-2021-40369

denounce plugin

nvd

security upgrade

2.11.3

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.1

Confidence

High

EPSS

0.003

Percentile

70.3%

JSON

A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim’s browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.

Affected configurations

Nvd

Vulners

Node

apachejspwikiRange<2.11.3

VendorProductVersionCPE
apachejspwiki*cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	jspwiki	*	cpe:2.3:a:apache:jspwiki::::::::

CNA Affected

[
  {
    "product": "Apache JSPWiki",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "Apache JSPWiki up to 2.11.2",
        "status": "affected",
        "version": "Apache JSPWiki",
        "versionType": "custom"
      }
    ]
  }
]