STG Security Advisory 2004-11-22.11

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
STG Security Advisory: [SSA-20041122-11] JSPWiki XSS vulnerability  
  
Revision 1.0  
Date Published: 2004-11-22 (KST)  
Last Update: 2004-11-22  
Disclosed by SSR Team ([email protected])  
  
Summary  
========  
JSPWiki is one of famous wiki web applications. It has a cross site  
scripting  
vulnerability.  
  
Vulnerability Class  
===================  
Implementation Error: Input validation flaw  
  
Details  
=======  
Due to an input validation flaw, the JSPWiki is vulnerable to cross site  
scripting attacks.  
  
http://[victim]/Search.jsp?query=<script>alert('hi')</script>  
  
Impact  
======  
Medium: Malicious attackers can inject and execute arbitrary script code in  
a user's browser session in context of an affected site.  
  
Workaround  
==========  
There is no known workaround at this time.  
  
Affected Products  
================  
JSPWiki v2.1.120-cvs and prior  
  
Vendor Status: NOT FIXED  
=======================  
2004-10-01 Vulnerability found.  
2004-10-27 JSPWiki developer notified.  
2004-11-22 Official release.  
  
Credits  
======  
Jeremy Bae at STG Security  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP 8.0  
  
iQA/AwUBQaP4bj9dVHd/hpsuEQK0ZwCgsKuNhZ2XX8EmpkQvOOw8psIBSR0AoKPw  
PyRsAAEFTLdkOa7FTIQ2uN0z  
=Mik7  
-----END PGP SIGNATURE-----  
  
`