CVE-2022-28731: Cross-Site Request Forgery (CSRF)

August 4, 2022 (updated August 10, 2022)

A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page.

References

jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732
nvd.nist.gov/vuln/detail/CVE-2022-28731

Code Behaviors & Features

Detect and mitigate CVE-2022-28731 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →