Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAMufup6S_bp8Z0dmz2CSzzxVC-sqrsBy22mkO0vhhhnyof49jw@mail.gmail.com>
Date: Wed, 30 Jul 2025 20:49:02 +0200
From: Juan Pablo Santos Rodríguez <juanpablo@...che.org>
To: announce@...che.org, dev@...wiki.apache.org, user@...wiki.apache.org, 
	Apache Security Team <security@...che.org>, oss-security@...ts.openwall.com, 
	XBOW Security <bb@...w.com>
Subject: CVE-2025-24853: Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki
 Header Link processing

Severity: Medium

Affected versions:

- Apache JSPWiki  before Apache JSPWiki up to 2.12.2

Description:

A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
 in the victim's browser and get some sensitive information about the
victim.

Further research by the JSPWiki team showed that the markdown parser
allowed this kind of attack too.

Apache JSPWiki users should upgrade to 2.12.3 or later.

Credit:

The issue was discovered by XBOW (https://github.com/xbow-security,
https://xbow.com) (finder)

References:

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853
https://www.cve.org/CVERecord?id=CVE-2025-24853

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.