{"api_version":"1","generated_at":"2026-06-22T19:29:59+00:00","cve":"CVE-2022-28731","urls":{"html":"https://cve.report/CVE-2022-28731","api":"https://cve.report/api/cve/CVE-2022-28731.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-28731","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-28731"},"summary":{"title":"CVE-2022-28731","description":"A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2022-08-04 07:15:00","updated_at":"2022-08-10 15:52:00"},"problem_types":["CWE-352"],"metrics":[],"references":[{"url":"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732","name":"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732","refsource":"MISC","tags":[],"title":"JSPWiki: CVE-2022-28732","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-28731","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-28731","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"This issue was discovered by Fabrice Perez, <fabioperez AT gmail DOT com>","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"28731","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"jspwiki","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2022-28731","STATE":"PUBLIC","TITLE":"Apache JSPWiki CSRF in UserPreferences.jsp"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache JSPWiki","version":{"version_data":[{"version_affected":"<=","version_name":"Apache JSPWiki","version_value":"Apache JSPWiki up to 2.11.2"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"This issue was discovered by Fabrice Perez, <fabioperez AT gmail DOT com> "}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[{"other":"critical"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CSRF Account Takeover"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732","name":"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"}]},"source":{"discovery":"UNKNOWN"},"work_around":[{"lang":"eng","value":"Apache JSPWiki users should upgrade to 2.11.3 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue. "}]},"nvd":{"publishedDate":"2022-08-04 07:15:00","lastModifiedDate":"2022-08-10 15:52:00","problem_types":["CWE-352"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*","versionEndExcluding":"2.11.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}