Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
[
{
"product": "Apache JSPWiki",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.11.0.M8",
"status": "affected",
"version": "Apache JSPWiki",
"versionType": "custom"
}
]
}
]