You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by Juan Pablo Santos Rodríguez <ju...@apache.org> on 2022/08/03 20:46:05 UTC

CVE-2022-28731: Apache JSPWiki CSRF in UserPreferences.jsp

Severity: critical

Description:

A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page. 

Mitigation:

Apache JSPWiki users should upgrade to 2.11.3 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue. 

Credit:

This issue was discovered by Fabrice Perez, <fabioperez AT gmail DOT com> 

References:

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732

Re: CVE-2022-28731: Apache JSPWiki CSRF in UserPreferences.jsp

Posted by Juan Pablo Santos Rodríguez <ju...@apache.org>.

On Wed, Aug 3, 2022 at 10:46 PM Juan Pablo Santos Rodríguez
<ju...@apache.org> wrote:
>
> Severity: critical
>
> Description:
>
> A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.
>
> Mitigation:
>
> Apache JSPWiki users should upgrade to 2.11.3 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue.
>
> Credit:
>
> This issue was discovered by Fabrice Perez, <fabioperez AT gmail DOT com>
>
> References:
>
> https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732
>