![]() |
|
Message-ID: <CAMufup6S_bp8Z0dmz2CSzzxVC-sqrsBy22mkO0vhhhnyof49jw@mail.gmail.com> Date: Wed, 30 Jul 2025 20:49:02 +0200 From: Juan Pablo Santos RodrÃguez <juanpablo@...che.org> To: announce@...che.org, dev@...wiki.apache.org, user@...wiki.apache.org, Apache Security Team <security@...che.org>, oss-security@...ts.openwall.com, XBOW Security <bb@...w.com> Subject: CVE-2025-24853: Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing Severity: Medium Affected versions: - Apache JSPWiki before Apache JSPWiki up to 2.12.2 Description: A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later. Credit: The issue was discovered by XBOW (https://github.com/xbow-security, https://xbow.com) (finder) References: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853 https://www.cve.org/CVERecord?id=CVE-2025-24853
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.