Description of the vulnerability

Due to the lack of sanitzation before displaying the rendered preview to the user resulted in a Reflected XSS vulnerability at the AJAXPreview.jsp end-point. As a result, an unauthenticated attacker is able to execute arbitrary JavaScript code by deceiving an authenticated Admin user to trigger a specially crafted payload, resulting in potential state-changing actions being carried out.

This vulnerability leverages CVE-2021-40369 where the Denounce plugin dangerously renders user-supplied URLs.

Affected file: jspwiki/jspwiki-war/src/main/webapp/templates/default/AJAXPreview.jsp

Proof-of-Concept

Request for the following URL, replacing JSPWIKI_HOST with a valid instance of JSPWiki:

http://JSPWIKI_HOST/templates/default/AJAXPreview.jsp?page=nonexistent&wikimarkup=%5B%7BDenounce%20link%3D%27%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.domain)%3E%27%7D%5D

You will notice that the response contains the reflected XSS payload:

Upon re-testing CVE-2021-40369, it appears that the patch was incomplete as it is still possible to insert malicious input via the Denounce plugin:

Timeline:

2022-03-14 Disclosed to Vendor
2022-03-18 Vendor patched

Description of the vulnerability#

Proof-of-Concept#

Timeline:#

Description of the vulnerability

Proof-of-Concept

Timeline: