CVE-2022-28731

Summary

A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache JSPWikiApache JSPWiki <= Apache JSPWiki up to 2.11.2affected

Weaknesses

  • CSRF Account Takeover

Workarounds

Apache JSPWiki users should upgrade to 2.11.3 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue.

ADP Enrichment

CVE Program Container

Additional References

References