DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

Apache JSPWiki - v2.12.3-git-04 - Cross-Site Scripting

By 0xhamy 05:16 PM - October 22nd 2025
Type software
Product Environment web
Product Name JSPWiki
Product Vendor Apache Software Foundation
Product Version 2.12.3-git-04
Product Link https://jspwiki.apache.org/
Vulnerability Name Cross-Site Scripting
Severity High
CVSS String
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score 8.7
CVE ID CVE-2025-24854
Vendor Acknowledgement Yes
Affected digital Assets
1
Affected Users
1000
Date of Reporting Jan 21, 2025
PoC Exploit -
Credit 0xhamy

Description

Apache JSPWiki v2.12.3-git-04 is vulnerable to stored cross-site scripting (XSS) in comments and page edits.
Attackers can use the Image plugin macro to embed a data: URL pointing to an SVG that executes JavaScript. The payload is stored and runs whenever a victim views the affected page or comment, enabling session theft, privilege misuse, and misleading UI/redirects.

Vulnerability Details

The endpoints:

  • /JSPWiki/Edit.jsp?page=…
  • /JSPWiki/Comment.jsp?page=…

accept user-supplied macros/plugins. The Image plugin renders data:image/svg+xml;base64,… sources without sanitizing active SVG content (e.g., onload).
Because rendering occurs in the JSPWiki origin, any authenticated viewer (including admins) who loads the page executes attacker-controlled script. The impact escalates if an attacker can impersonate or socially engineer an admin to view the malicious content.

Steps to Reproduce

  1. Open an editable page or the comment form.

    • …/JSPWiki/Edit.jsp?page=Install.jsp
    • …/JSPWiki/Comment.jsp?page=PageIndex

  2. Insert an Image plugin with a base64-SVG payload.
    Example macro (line breaks for clarity):

    [{Image
  src='data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIiBvbmxvYWQ9ImFsZXJ0KCd4c3MnKSI+PHJlY3Qgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiIGZpbGw9ImxpZ2h0Ymx1ZSIgLz48L3N2Zz4='
  caption='Testing Image'
  style='font-size:120%; color:green;'}]

  3. View the page/comment.
    The embedded SVG executes (e.g., alert('xss')).
    Decoded SVG used above:

    <svg xmlns="http://www.w3.org/2000/svg" width="200" height="200"
     onload="alert('xss')">
  <rect width="200" height="200" fill="lightblue"/>
</svg>

Recommendation

  • Sanitize plugin inputs: disallow or scrub data: SVGs; strip event handlers (on*), scripts, and external refs when rendering macros.
  • Restrict Image plugin sources to vetted schemes/MIME types (e.g., https raster only) and validate against an allow-list.
  • Harden CSP: disallow inline scripts; restrict img-src/object-src/frame-src; consider serving user content from a separate origin.
  • Permission & moderation: limit macro usage in comments/edits, add review for rich content.

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.