{"containers": {"cna": {"affected": [{"product": "Apache JSPWiki", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "Apache JSPWiki up to 2.11.2", "status": "affected", "version": "Apache JSPWiki", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by Fabrice Perez, <fabioperez AT gmail DOT com> "}], "descriptions": [{"lang": "en", "value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."}], "metrics": [{"other": {"content": {"other": "critical"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"description": "CSRF Account Takeover", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-04T06:15:43", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache JSPWiki CSRF in UserPreferences.jsp", "workarounds": [{"lang": "en", "value": "Apache JSPWiki users should upgrade to 2.11.3 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue. "}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-28731", "STATE": "PUBLIC", "TITLE": "Apache JSPWiki CSRF in UserPreferences.jsp"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache JSPWiki", "version": {"version_data": [{"version_affected": "<=", "version_name": "Apache JSPWiki", "version_value": "Apache JSPWiki up to 2.11.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered by Fabrice Perez, <fabioperez AT gmail DOT com> "}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "critical"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CSRF Account Takeover"}]}]}, "references": {"reference_data": [{"name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732", "refsource": "MISC", "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Apache JSPWiki users should upgrade to 2.11.3 or later. Installations >= 2.7.0 can also enable user management workflows' manual approval to mitigate the issue. "}]}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-28731", "datePublished": "2022-08-04T06:15:43", "dateReserved": "2022-04-05T00:00:00", "dateUpdated": "2022-08-04T06:15:43", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "64A3E769-A3E7-4648-8792-5138BD591C1F", "versionEndExcluding": "2.11.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A carefully crafted request on UserPreferences.jsp could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow the attacker to modify the email associated with the attacked account, and then a reset password request from the login page."}, {"lang": "es", "value": "Una petici\u00f3n cuidadosamente dise\u00f1ada en el archivo UserPreferences.jsp podr\u00eda desencadenar una vulnerabilidad de tipo CSRF en Apache JSPWiki versiones 2.11.3, que podr\u00eda permitir al atacante modificar el correo electr\u00f3nico asociado a la cuenta atacada, y luego una petici\u00f3n de restablecimiento de contrase\u00f1a desde la p\u00e1gina de inicio de sesi\u00f3n"}], "id": "CVE-2022-28731", "lastModified": "2022-08-10T15:52:48.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-04T07:15:07.557", "references": [{"source": "security@apache.org", "tags": ["Not Applicable", "Vendor Advisory"], "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-28732"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}