Cybersecurity specialists report the detection of two critical vulnerabilities in Apache JSPWiki, a wiki software built around Java JEE components, servlets and JavaServer pages. According to the report, the successful exploitation of these flaws would allow the deployment of multiple malicious scenarios.

Below are brief descriptions of the reported flaws, as well as their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-40369: Improper disinfection of user-provided data in the Denounce plugin would allow remote threat actors to send specially crafted links for victims to execute arbitrary HTML code in their own web browser.

The vulnerability received a CVSS score of 5.3/10 and its successful exploitation would allow threat actors to steal sensitive information, modify the content of a website, and even perform phishing attacks.

CVE-2021-44140: Moreover, this flaw exists due to inadequate access restrictions on the affected solution, which would allow a malicious hacker to send specially crafted HTTP requests by logging out and deleting arbitrary files on a system where a JSPWiki instance is hosted.

This is a high severity flaw and received a CVSS score of 7.9/10.

According to the report, the flaws reside in the following versions of Apache JSPWiki: 2.1.120, 2.1.121, 2.1.122, 2.4.103, 2.4.104, 2.5.139, 2.5.139 beta, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.11.0.M1, 2.11.0.M2, 2.11.0.M3, 2.11.0.M4, 2.11.0.M5, 2.11.0M6, 2.11.0M7 and 2.11.0M8.

Although flaws can be exploited remotely by unauthenticated threat actors, cybersecurity experts have not detected active exploitation attempts or the presence of a malware variant associated with the attack. Still, users of affected deployments are encouraged to upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.