Lucene search

GitHub Advisory DatabaseGHSA-9X9J-VRHJ-V364

HistoryAug 05, 2022 - 12:00 a.m.

Apache JSPWiki CSRF due to crafted request on UserPreferences.jsp

2022-08-0500:00:30

CWE-352

GitHub Advisory Database

github.com

apache

jspwiki

csrf

userpreferences.jsp

vulnerability

reset password

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

27.3%

JSON

A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.

Affected configurations

Vulners

Node

org.apache.jspwikijspwiki-mainRange<2.11.3

VendorProductVersionCPE
org.apache.jspwikijspwiki-main*cpe:2.3:a:org.apache.jspwiki:jspwiki-main:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.jspwiki	jspwiki-main	*	cpe:2.3:a:org.apache.jspwiki:jspwiki-main::::::::

References

github.com/advisories/GHSA-9x9j-vrhj-v364

jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732

nvd.nist.gov/vuln/detail/CVE-2022-28731

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

27.3%

JSON

Related for GHSA-9X9J-VRHJ-V364