CVE-2022-28730

Name of the Vulnerable Software and Affected Versions Apache JSPWiki versions prior to 2.11.3

Description A carefully crafted request on "AJAXPreview.jsp" could trigger an issue that allows an attacker to execute javascript in the victim's browser and obtain sensitive information. This issue leverages a problem where the Denounce plugin dangerously renders user-supplied URLs. The patch for this problem was found to be incomplete, as it was still possible to insert malicious input via the Denounce plugin.

Recommendations For versions prior to 2.11.3, upgrade to 2.11.3 or later. As a temporary workaround, consider disabling the Denounce plugin until a patch is available. Restrict access to the "AJAXPreview.jsp" page to minimize the risk of exploitation. Avoid using the Denounce plugin to render user-supplied URLs until the issue is resolved.