JSPWiki: CVE-2022-24947

[CVE-2022-24947] Apache JSPWiki CSRF Account Takeover#

Severity
Critical

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.1

Description
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover.

Mitigation
Apache JSPWiki users should upgrade to 2.11.2 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue.

Credit
This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks.

CVE

About cookies on this site#

This site uses cookie technology to store your user preferences to provide a more personalized browsing experience. No data will be shared by this site with 3rd parties. For more information on the cookies we use and how you can manage your cookie settings, please go to our Cookies Policy.

General#

Community#

Development#

PMC#

Special Pages#

Referenced by#

NewIn2.11
News

ASF

#

Apache	Foundation
Donations	Projects
Sponsorship	People
Privacy	Get involved
Events	Thanks