JSPWiki query parameter cross-site scripting
| jspwiki-query-xss (18236) |  Medium Risk |
Description:
JSPWiki is vulnerable to cross-site scripting, caused by a vulnerability in the search.jsp script. A remote attacker embed malicious script in the query parameter in a specially-crafted URL request to the search.jsp script, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials and other sensitive information.
Platforms Affected:
- Dan Johnsson, JSPWiki prior to 2.1.123
Remedy:
Upgrade to the latest version of JSPWiki ( 2.1.123 or later), available from the JSPWiki Web site. See References.
Consequences:
Gain Access
References:
- JSPWiki Web site, JSPWiki Main Page at http://www.jspwiki.org/Wiki.jsp?page=Main.
- BID-11746: JSPWiki Cross-Site Scripting Vulnerability
- CVE-2004-1544: Cross-site scripting (XSS) vulnerability in Search.jsp in JSPWiki 2.1.120-cvs and earlier allows remote attackers to execute arbitrary web script as other users via the query parameter.
- SA13285: JSPWiki "query" Parameter Cross-Site Scripting Vulnerability
Reported:
Nov 24, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net