<p>Upgrade <code>org.apache.jspwiki:jspwiki-main</code> to version 2.11.2 or higher.</p>

Cross-site Request Forgery (CSRF) Affecting org.apache.jspwiki:jspwiki-main package, versions [,2.11.2)

Snyk CVSS

Attack Complexity Low

User Interaction Required

Threat Intelligence

EPSS 0.09% (39^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHEJSPWIKI-2413443
published 25 Feb 2022
disclosed 25 Feb 2022
credit Cristian Borlovan, Paulos Yibelo

Report a new vulnerability Found a mistake?

Introduced: 25 Feb 2022

CVE-2022-24947 Open this link in a new tab CWE-352 Open this link in a new tab

How to fix?

Upgrade org.apache.jspwiki:jspwiki-main to version 2.11.2 or higher.

Overview

org.apache.jspwiki:jspwiki-main is a main release jar for Apache JSPWiki engine.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) via the UserProfile.jsp component, which does not require you to type in your old password to change the new password, allowing the attacker to change the account password as long as they know there is an existing account name.