From announce-return-5241-archive-asf-public=cust-asf.ponee.io@apache.org  Mon May 20 16:11:44 2019
Return-Path: <announce-return-5241-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 9390F180627
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 20 May 2019 18:11:44 +0200 (CEST)
Received: (qmail 41489 invoked by uid 500); 20 May 2019 16:10:47 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 49311 invoked by uid 99); 19 May 2019 15:58:35 -0000
X-Gm-Message-State: APjAAAUvNjJp9uU90WWzkDLiyKxmMlWVv3FF9JAvZnxnWXu6PskxHYL5
	DohfF+01E9GsHH8AJZ018iVKkTTZKK0zPfhUvX8=
X-Google-Smtp-Source: APXvYqz0ONxFwoVqtdcMATzZA5VbsWncPgEFGHguMqeAZKHQH3vfZN2rRndst0JwSEeRQleF11oZvl05A2SyFYtbC1Q=
X-Received: by 2002:a6b:c844:: with SMTP id y65mr21087864iof.43.1558281514763;
 Sun, 19 May 2019 08:58:34 -0700 (PDT)
MIME-Version: 1.0
From: =?UTF-8?Q?Juan_Pablo_Santos_Rodr=C3=ADguez?= <juanpablo@apache.org>
Date: Sun, 19 May 2019 17:58:25 +0200
X-Gmail-Original-Message-ID: <CAMufup7_aJHeFm2rRbahdL-QXspqryCs2YfQ_sQzK04z3W6OsA@mail.gmail.com>
Message-ID: <CAMufup7_aJHeFm2rRbahdL-QXspqryCs2YfQ_sQzK04z3W6OsA@mail.gmail.com>
Subject: [CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability on
 Apache JSPWiki
To: announce@apache.org, user@jspwiki.apache.org, dev@jspwiki.apache.org, 
	Apache Security Team <security@apache.org>, jegatheesh.a@zohocorp.com
Content-Type: multipart/alternative; boundary="00000000000025d4bb05893fb010"

--00000000000025d4bb05893fb010
Content-Type: text/plain; charset="UTF-8"

Severity
Medium

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.0.M3

Description
A carefully crafted InterWiki link could trigger an XSS vulnerability on
Apache JSPWiki, which could lead to session hijacking.

Mitigation
Apache JSPWiki users should upgrade to 2.11.0.M4 or later.

Credit
This issue was discovered by Jegatheesh A, from ZOHO-CRM Security team.

ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077

--00000000000025d4bb05893fb010
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Severity<br>Medium<br><br>Vendor<br>The Apache Software Fo=
undation<br><br>Versions Affected<br>Apache JSPWiki up to 2.11.0.M3<br><br>=
Description<br>A carefully crafted InterWiki link could trigger an XSS vuln=
erability on Apache JSPWiki, which could lead to session hijacking.<br><br>=
Mitigation<br>Apache JSPWiki users should upgrade to 2.11.0.M4 or later.<br=
><br>Credit<br>This issue was discovered by Jegatheesh A, from ZOHO-CRM Sec=
urity team.<br><br>ref: <a href=3D"https://jspwiki-wiki.apache.org/Wiki.jsp=
?page=3DCVE-2019-10077">https://jspwiki-wiki.apache.org/Wiki.jsp?page=3DCVE=
-2019-10077</a></div>

--00000000000025d4bb05893fb010--