Huiseong Seo

**Name of the Vulnerable Software and Affected Versions** Apache JSPWiki versions prior to 2.11.3 **Description** A carefully crafted invocation on the Image plugin could trigger a CSRF issue, allowing a group privilege escalation of the attacker's account. This could also be used to modify the email associated with the attacked account, and then a reset password request from the "login page" endpoint. **Recommendations** For versions prior to 2.11.3, update to version 2.11.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Image plugin until a patch is available. Avoid using the vulnerable Image plugin functionality in the affected API endpoints until the issue is resolved.