Severity
Critical
Vendor
The Apache Software Foundation
Versions Affected
Apache JSPWiki up to 2.11.1
Description
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover.
Mitigation
Apache JSPWiki users should upgrade to 2.11.2 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue.
Credit
This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks.