[CVE-2022-24947] Apache JSPWiki CSRF Account Takeover#

Severity
Critical

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.1

Description
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover.

Mitigation
Apache JSPWiki users should upgrade to 2.11.2 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue.

Credit
This issue was discovered initially by Cristian Borlovan from Ounce Labs Security (ref. JSPWIKI-79), and later on and independently from this by Paulos Yibelo, from Octagon Networks.


CVE