[CVE-2022-24947] Apache JSPWiki CSRF Account Takeover#

Severity
Critical

Vendor
The Apache Software Foundation

Versions Affected
Apache JSPWiki up to 2.11.1

Description
Apache JSPWiki user preferences form is vulnerable to CSRF attacks, which can lead to account takeover. When investigating the issue the Apache JSPWiki noticed that the same technique can be used to add or remove people from wiki-groups.

Mitigation
Apache JSPWiki users should upgrade to 2.11.2 or later.

Credit
This issue was discovered by Paulos Yibelo, from Octagon Networks.