Apache JSPWiki CSRF due to crafted invocation on the Image plugin
High severity
GitHub Reviewed
Published
Aug 5, 2022
to the GitHub Advisory Database
•
Updated Jan 31, 2023
Description
Published by the National Vulnerability Database
Aug 4, 2022
Published to the GitHub Advisory Database
Aug 5, 2022
Reviewed
Aug 11, 2022
Last updated
Jan 31, 2023
A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.
References