Miggo Logo

CVE-2019-10076: Cross-Site Scripting in JSPWiki

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.8761%
Published
6/6/2019
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.jspwiki:jspwiki-warmaven>= 2.9.0, <= 2.11.0.M32.11.0.M4
org.apache.jspwiki:jspwiki-mainmaven>= 2.9.0, <= 2.11.0.M32.11.0.M4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The XSS vulnerability requires both 1) ingestion of malicious content via attachment upload (handled by AttachmentManager), and 2) unsafe rendering of that content in UI components (potentially in AdminBean). While exact patch details are unavailable, these core components align with the described attack vector and typical JSPWiki architecture. The 'medium' confidence for AdminBean reflects uncertainty about exact rendering location versus other UI components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **r**ully *r**t** m*li*ious *tt***m*nt *oul* tri***r *n XSS vuln*r**ility on *p**** JSPWiki *.*.* to *.**.*.M*, w*i** *oul* l*** to s*ssion *ij**kin*.

Reasoning

T** XSS vuln*r**ility r*quir*s *ot* *) in**stion o* m*li*ious *ont*nt vi* *tt***m*nt uplo** (**n*l** *y `*tt***m*ntM*n***r`), *n* *) uns*** r*n**rin* o* t**t *ont*nt in UI *ompon*nts (pot*nti*lly in `**min***n`). W*il* *x**t p*t** **t*ils *r* un*v*il