CVE-2021-40369
Published on: 11/24/2021 12:00:00 AM UTC
Last Modified on: 11/09/2022 09:43:00 PM UTC
Certain versions of Jspwiki from Apache contain the following vulnerability:
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later.
- CVE-2021-40369 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
- Affected Vendor/Software:
Apache Software Foundation - Apache JSPWiki version <= 2.11.0.M8
Vulnerability Patch/Work Around
- Apache JSPWiki users should upgrade to 2.11.0 or later.
CVSS3 Score: 6.1 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | REQUIRED |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
CHANGED | LOW | LOW | NONE |
CVSS2 Score: 4.3 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
JSPWiki: CVE-2021-40369 | jspwiki-wiki.apache.org text/html |
![]() |
No Description Provided | lists.apache.org text/html |
![]() |
oss-security - CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp | www.openwall.com text/html |
![]() |
There are currently no QIDs associated with this CVE
Exploit/POC from Github
A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denou…
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Apache | Jspwiki | All | All | All | All |
- cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*:
Discovery Credit
Apache JSPWiki would like to thank map1e ([email protected]) for discovering this issue.
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
[CVE-2021-40369] Apache JSPWiki Cross-site scripting vulnerability on Denounce plugin: Posted by Juan Pablo Santos… twitter.com/i/web/status/1… | 2021-11-24 02:30:07 |
![]() |
CVE-2021-40369 : A carefully crafted plugin link invocation could trigger an #XSS vulnerability on #Apache JSPWiki,… twitter.com/i/web/status/1… | 2021-11-24 11:19:27 |