[ANNOUNCE] Apache JSPWiki 2.11.2 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.2. This is the third release on the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.2 The full change log is available here: https://issues.apache.org/jira/browse/JSPWIKI/fixforversion/12351120 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[CVE-2022-24948] Apache JSPWiki Cross-site scripting vulnerability on User Preferences screen
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.1 Description A carefully crafted user preferences for submission could trigger an XSS vulnerability on Apache JSPWiki, related to the user preferences screen, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Mitigation Apache JSPWiki users should upgrade to 2.11.2 or later. Credit This issue was discovered by Paulos Yibelo, from Octagon Networks.
[CVE-2022-24947] Apache JSPWiki CSRF Account Takeover
Severity Critical Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.1 Description Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. Mitigation Apache JSPWiki users should upgrade to 2.11.2 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue. Credit This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks.
[ANNOUNCE] Apache JSPWiki 2.11.1 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.1. This is the second release on the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.1 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12350872 Apache JSPWiki contains a mitigation to log4j's CVE-2021-44228 by upgrading to log4j 2.16.0 as well as a few other improvements and bug fixes. A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[ANNOUNCE] Apache JSPWiki 2.11.0 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0. This is the first release after eight milestones on the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12345152 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[CVE-2021-44140] Apache JSPWiki Arbitrary file deletion on logout
Severity Critical Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M8 Description Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Mitigation Apache JSPWiki users should upgrade to 2.11.0 or later. Credit This issue was discovered by haby0 (forha...@gmail.com) from Duxiaoman Financial Security Team, who also proposed the fix for this issue.
[CVE-2021-40369] Apache JSPWiki Cross-site scripting vulnerability on Denounce plugin
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M8 Description A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Mitigation Apache JSPWiki users should upgrade to 2.11.0 or later. Credit This issue was discovered by map1e (r...@lazymaple.pw).
[ANNOUNCE] Apache JSPWiki 2.11.0.M8 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0.M8. This is the eighth release towards the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. M# releases are as production-ready as any other JSPWiki release, please see [#1] to know how this label is used on Apache JSPWiki releases. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0.M8 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12349271 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team [#1]: https://jspwiki-wiki.apache.org/Wiki.jsp?page=VersioningProposal
[ANNOUNCE] Apache JSPWiki 2.11.0.M7 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0.M7. This is the seventh release towards the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. M# releases are as production-ready as any other JSPWiki release, please see [#1] to know how this label is used on Apache JSPWiki releases. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0.M7 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12346642 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team [#1]: https://jspwiki-wiki.apache.org/Wiki.jsp?page=VersioningProposal
[ANNOUNCE] Apache JSPWiki 2.11.0.M6 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0.M6. This is the sixth release towards the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. M# releases are as production-ready as any other JSPWiki release, please see [#1] to know how this label is used on Apache JSPWiki releases. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0.M6 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12346489 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team [#1]: https://jspwiki-wiki.apache.org/Wiki.jsp?page=VersioningProposal
[CVE-2019-12407] Apache JSPWiki Cross-site scripting vulnerability related to the remember parameter
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M4 Description A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M5 or later. Credit This issue was discovered by ADLab of VenusTech. ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12407
[CVE-2019-12404] Apache JSPWiki Cross-site scripting vulnerability on InfoContent.jsp
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M4 Description A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to InfoContent.jsp, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M5 or later. Credit This issue was discovered by ADLab of VenusTech. rel: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-12404
[CVE-2019-10090] Apache JSPWiki Cross-site scripting vulnerability on plain editor
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M4 Description A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M5 or later. Credit This issue was discovered by Dirk Frederickx, from Apache JSPWiki. ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10090
[CVE-2019-10089] Apache JSPWiki Cross-site scripting vulnerability on WYSIWYG editor
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M4 Description A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M5 or later. Credit This issue was discovered by Jegatheesh A, from ZOHO-CRM Security team. ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10089
[CVE-2019-10087] Apache JSPWiki Cross-site scripting vulnerability in Page Revision History
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M4 Description A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M5 or later. Credit This issue was discovered by Jegatheesh A, from ZOHO-CRM Security team. ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10087
[ANNOUNCE] Apache JSPWiki 2.11.0.M5 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0.M5. This is the fifth release towards the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. M# releases are as production-ready as any other JSPWiki release, please see [#1] to know how this label is used on Apache JSPWiki releases. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0.M5 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12345540 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team [#1]: https://jspwiki-wiki.apache.org/Wiki.jsp?page=VersioningProposal
[CVE-2019-10078] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M3 Description A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, which could lead to session hijacking. Initial reporting indicated ReferredPagesPlugin, but further analysis showed that multiple plugins were vulnerable. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M4 or later. Credit This issue was discovered RunningSnail. ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10078
[CVE-2019-10077] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M3 Description A carefully crafted InterWiki link could trigger an XSS vulnerability on Apache JSPWiki, which could lead to session hijacking. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M4 or later. Credit This issue was discovered by Jegatheesh A, from ZOHO-CRM Security team. ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10077
[CVE-2019-10076] Apache JSPWiki Cross-site scripting vulnerability on Apache JSPWiki
Severity Medium Vendor The Apache Software Foundation Versions Affected Apache JSPWiki up to 2.11.0.M3 Description A carefully crafted malicious attachment could trigger an XSS vulnerability on Apache JSPWiki, which could lead to session hijacking. Mitigation Apache JSPWiki users should upgrade to 2.11.0.M4 or later. Credit This issue was discovered independently of each other by Jegatheesh A, from ZOHO-CRM Security team and RunningSnail. ref: https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2019-10076
[ANNOUNCE] Apache JSPWiki 2.11.0.M4 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0.M4. This is the fourth release towards the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. M# releases are as production-ready as any other JSPWiki release, please see [#1] to know how this label is used on Apache JSPWiki releases. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0.M4 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12345211 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team [#1]: https://jspwiki-wiki.apache.org/Wiki.jsp?page=VersioningProposal
[CVE-2019-0224] Apache JSPWiki Cross-site scripting vulnerability
Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache JSPWiki up to 2.11.0.M2 Description: A carefully crafted URL could execute javascript on another user's session. No information could be saved on the server or jspwiki database, nor would an attacker be able to execute js on someone else's browser; only on it's own browser. Mitigation: Apache JSPWiki users should upgrade to 2.11.0.M3 or later. Credit: This issue was discovered by Muthukumar Marikani ( https://twitter.com/unkn0wn_p3rson), from ZOHO-CRM Security Team
[CVE-2019-0225] Apache JSPWiki Local File Inclusion (limited ROOT folder) vulnerability leads to user information disclosure
Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache JSPWiki up to 2.11.0.M2 Description: A specially crafted url could be used to access files under the ROOT directory of the application on Apache JSPWiki, which could be used by an attacker to obtain registered users' details. Mitigation: Apache JSPWiki users should upgrade to 2.11.0.M3 or later. Credit: This issue was discovered by Muthukumar Marikani ( https://twitter.com/unkn0wn_p3rson), from ZOHO-CRM Security Team
[ANNOUNCE] Apache JSPWiki 2.11.0.M2 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0.M2. This is the second release towards the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. M# releases are as production-ready as any other JSPWiki release, please see [#1] to know how this label is used on Apache JSPWiki releases. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0.M2 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12343994 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team [#1]: https://jspwiki-wiki.apache.org/Wiki.jsp?page=VersioningProposal
[ANNOUNCE] Apache JSPWiki 2.11.0.M1 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.11.0.M1. This is the first release towards the 2.11 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. M# releases are as production-ready as any other JSPWiki release, please see [#1] to know how this label is used on Apache JSPWiki releases. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.11.0.M1 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732=12343348 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.11 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team [#1]: https://jspwiki-wiki.apache.org/Wiki.jsp?page=VersioningProposal
[ANNOUNCE] Apache JSPWiki 2.10.5 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.10.5. This is the fifth release on the 2.10 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.10.5 The full change log is available here: https://issues.apache.org/jira/browse/JSPWIKI/fixforversion/12343310 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.10 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[ANNOUNCE] Apache JSPWiki 2.10.4 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.10.4. This is the fourth release on the 2.10 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.10.4 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa? projectId=12310732=12342771 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.10 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[ANNOUNCE] Apache JSPWiki 2.10.2 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.10.2. This is the third release on the 2.10 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: http://www.apache.org/dyn/closer.cgi/jspwiki/ JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.10.2 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12327049==12310732 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.10 We welcome your help and feedback. For more information on how to report problems, and to get involved visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[ANNOUNCE] Apache JSPWiki 2.10.1 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.10.1. This is the second release on the 2.10 series of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: http://www.apache.org/dyn/closer.cgi/jspwiki/ JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.10.1 The full change log is available here: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732version=12325764 A curated change log is also available here: https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.10#section-NewIn2.10-NewInJSPWiki2.10.1ReleasedOn29052014 We welcome your help and feedback. For more information on how to report problems and to get involved, visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[ANNOUNCE] Apache JSPWiki 2.10.0 released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.10.0. This is the 2.10.0 release of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard JEE components. The release is available here: http://www.apache.org/dyn/closer.cgi/jspwiki/ JSPWiki Maven artifacts are available under org.apache.jspwiki groupId, version 2.10.0 The full change log is available here: https://issues.apache.org/jira/browse/jspwiki/fixforversion/12323941 You can also see what's new in this version at https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.10 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://jspwiki.apache.org/ The Apache JSPWiki Team
[ANNOUNCE] Apache JSPWiki 2.9.1-incubating released
The Apache JSPWiki team is pleased to announce the release of JSPWiki 2.9.1-incubating from the Apache Incubator. This is the second release of Apache JSPWiki, a feature-rich and extensible WikiWiki engine built around the standard J2EE components. The release is available here: http://www.apache.org/dyn/closer.cgi/incubator/jspwiki/ The full change log is available here: https://issues.apache.org/jira/browse/jspwiki/fixforversion/12321249 We welcome your help and feedback. For more information on how to report problems, and to get involved, visit the project website at http://incubator.apache.org/jspwiki/ The Apache JSPWiki Team
