oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-24853: Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing

From: Juan Pablo Santos Rodríguez <juanpablo () apache org>
Date: Wed, 30 Jul 2025 20:49:02 +0200
Severity: Medium

Affected versions:

- Apache JSPWiki  before Apache JSPWiki up to 2.12.2

Description:

A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
 in the victim's browser and get some sensitive information about the
victim.

Further research by the JSPWiki team showed that the markdown parser
allowed this kind of attack too.

Apache JSPWiki users should upgrade to 2.12.3 or later.

Credit:

The issue was discovered by XBOW (https://github.com/xbow-security,
https://xbow.com) (finder)

References:

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853
https://www.cve.org/CVERecord?id=CVE-2025-24853
Previous By Date Next
Previous By Thread Next

Current thread: