CVE-2024-27136 — Cross site scripting in Apache JSPWiki

Description

XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later.

How to fix CVE-2024-27136

To remediate CVE-2024-27136, upgrade the affected package to a fixed version below.

Maven/org.apache.jspwiki:jspwiki-main—upgrade to 2.12.2 or later

Is CVE-2024-27136 being exploited?

Likely — EPSS is 50.6%, placing CVE-2024-27136 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 2.12.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-27136
PATCHgithub.com/apache/jspwiki
WEBjspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136
WEBlists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5
WEB