STG Security Advisory: [SSA-20041122-11] JSPWiki XSS vulnerability

Revision 1.0

Date Published: 2004-11-22 (KST)

Last Update: 2004-11-22

Disclosed by SSR Team (advisory (at) stgsecurity (dot) com [email concealed])

Summary

========

JSPWiki is one of famous wiki web applications. It has a cross site scripting

vulnerability.

Vulnerability Class

===================

Implementation Error: Input validation flaw

Details

=======

Due to an input validation flaw, the JSPWiki is vulnerable to cross site

scripting attacks.

http://[victim]/Search.jsp?query=<script>alert('hi')</script>
;

Impact

======

Medium: Malicious attackers can inject and execute arbitrary script code in

a user's browser session in context of an affected site.

Workaround

==========

There is no known workaround at this time.

Affected Products

================

JSPWiki v2.1.120-cvs and prior

Vendor Status: NOT FIXED

=======================

2004-10-01 Vulnerability found.

2004-10-27 JSPWiki developer notified.

2004-11-22 Official release.

Credits

======

Jeremy Bae at STG Security

[ reply ]