-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.jspwiki:jspwiki-main | maven | < 2.12.3 | 2.12.3 |
Miggo AIRoot Cause AnalysisThe vulnerability description indicates a Cross-Site Scripting (XSS) issue in the Image plugin of Apache JSPWiki. The affected versions are prior to 2.12.3. To pinpoint the vulnerable function, I first identified the commits between the last vulnerable version (2.12.2) and the first patched version (2.12.3). Within the list of commits, I found one with the message 'Allow data: or javascript: uris on src attribute of Image plugin only if jspwiki.translatorReader.allowHTML is enabled', which directly relates to the vulnerability. Analyzing the diff of this commit (a49b2fd5c93ca38175ac30d41152fc3b75d20691) revealed changes in the Image.java file. Specifically, the execute method was modified to add a security check. Before the patch, the src attribute of the <img> tag was created directly from user input without sufficient validation. The patch introduces a check to see if the allowHTML property is disabled, and if so, it neutralizes javascript: and data: URIs. This confirms that the org.apache.wiki.plugin.Image.execute function is the vulnerable function, as it is responsible for processing the malicious input and generating the vulnerable HTML.
KEV Misses 88% of Exploited CVEs- Get the report