Home > Vulnerability Database > CVE-2022-28730

Mend.io Vulnerability Database

CVE-2022-28730

Good to know:

Date: August 4, 2022

A carefully crafted request on AJAXPreview.jsp could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. This vulnerability leverages CVE-2021-40369, where the Denounce plugin dangerously renders user-supplied URLs. Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it was still possible to insert malicious input via the Denounce plugin. Apache JSPWiki users should upgrade to 2.11.3 or later.

Language: Java

Severity Score

6.1

Related Resources (4)

Url: https://github.com/apache/jspwiki

Url: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-28730

Url: https://www.mend.io/vulnerability-database/CVE-2022-28730

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version org.apache.jspwiki:jspwiki-main:2.11.3

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-28730

Good to know:

Date: August 4, 2022

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?