Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Description

A carefully crafted request when creating a header link using the
wiki markup syntax, which could allow the attacker to execute javascript
in the victim's browser and get some sensitive information about the
victim.

Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.

Apache JSPWiki users should upgrade to 2.12.3 or later.

Basic Information

ID CVE-2025-24853

Source apache

Published Jul 31, 2025 at 08:42

Modified Jul 31, 2025 at 17:55

Affected Product

Vendor Apache Software Foundation

Product Apache JSPWiki

Affected Versions Apache Software Foundation Apache JSPWiki 0

CWE Classification

CWE-79

References

jspwiki-wiki.apache.org /Wiki.jsp

{
    "lastseen": "",
    "description": "A carefully crafted request when creating a header link using the \nwiki markup syntax, which could allow the attacker to execute javascript\n in the victim's browser and get some sensitive information about the \nvictim.\n\n\n\nFurther research by the JSPWiki team showed that the markdown parser allowed this kind of attack too.\n\nApache JSPWiki users should upgrade to 2.12.3 or later.",
    "published": "2025-07-31T08:42:06.453Z",
    "modified": "2025-07-31T17:55:11.018Z",
    "type": "cve",
    "title": "Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing",
    "source": "apache",
    "references": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2025-24853",
    "id": "CVE-2025-24853",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache JSPWiki 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache JSPWiki",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache JSPWiki: Cross-Site Scripting (XSS) in JSPWiki Header Link processing_CVE-2025-24853