Moshe Ba

**Name of the Vulnerable Software and Affected Versions** JSPWiki versions 2.4.104 and 2.5.139 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `editor` parameter in Edit.jsp, which is a different attack vector. **Recommendations** For JSPWiki version 2.4.104, update to a version that fixes this issue. For JSPWiki version 2.5.139, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the Edit.jsp page to minimize the risk of exploitation. Avoid using the `editor` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JSPWiki versions 2.4.104 and 2.5.139 **Description** The issue allows remote attackers to upload and execute arbitrary .jsp files via an unspecified manipulation that attaches a .jsp file to an "entry page." **Recommendations** For JSPWiki version 2.4.104, update to a version that fixes this issue. For JSPWiki version 2.5.139, update to a version that fixes this issue. As a temporary workaround, consider restricting file uploads to prevent the execution of arbitrary .jsp files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** JSPWiki versions 2.4.104 and 2.5.139 **Description** A directory traversal issue in Edit.jsp allows remote attackers to include and execute arbitrary local .jsp files, and obtain sensitive information, via a .. (dot dot) in the `editor` parameter. This issue can be exploited to access sensitive data. **Recommendations** For JSPWiki version 2.4.104, update to a version that fixes this issue. For JSPWiki version 2.5.139, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the Edit.jsp page to minimize the risk of exploitation.