Poh Jia

**Name of the Vulnerable Software and Affected Versions** Apache JSPWiki versions prior to 2.11.3 **Description** A carefully crafted request on "AJAXPreview.jsp" could trigger an issue that allows an attacker to execute javascript in the victim's browser and obtain sensitive information. This issue leverages a problem where the Denounce plugin dangerously renders user-supplied URLs. The patch for this problem was found to be incomplete, as it was still possible to insert malicious input via the Denounce plugin. **Recommendations** For versions prior to 2.11.3, upgrade to 2.11.3 or later. As a temporary workaround, consider disabling the Denounce plugin until a patch is available. Restrict access to the "AJAXPreview.jsp" page to minimize the risk of exploitation. Avoid using the Denounce plugin to render user-supplied URLs until the issue is resolved.