The Apache Software Foundation
Apache JSPWiki up to 2.11.1
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover.
Apache JSPWiki users should upgrade to 2.11.2 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue.
This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks.