{"id":"CVE-2022-34158","details":"A carefully crafted invocation on the Image plugin could trigger an CSRF vulnerability on Apache JSPWiki before 2.11.3, which could allow a group privilege escalation of the attacker's account. Further examination of this issue established that it could also be used to modify the email associated with the attacked account, and then a reset password request from the login page.","aliases":["GHSA-jp3m-p26h-mm7v"],"modified":"2026-03-14T08:43:25.434954Z","published":"2022-08-04T07:15:07.650Z","references":[{"type":"ADVISORY","url":"https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2022-34158"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/jspwiki","events":[{"introduced":"0"},{"fixed":"515dff39c66c43318056fa76a20117662d2a0e8d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.11.3"}]}}],"versions":["2.10.3","2.10.3-RC1","2.10.3-RC2","2.10.4","2.10.4-RC1","2.10.4-RC2","2.10.4-RC3","2.10.5","2.10.5-RC1","2.10.5-RC2","2.11.0","2.11.0-RC1","2.11.0-RC2","2.11.0.M1","2.11.0.M1-RC1","2.11.0.M1-RC2","2.11.0.M1.RC3","2.11.0.M2","2.11.0.M2-RC1","2.11.0.M3","2.11.0.M3-RC1","2.11.0.M3-RC2","2.11.0.M4","2.11.0.M4-RC1","2.11.0.M4-RC2","2.11.0.M5","2.11.0.M5-RC1","2.11.0.M5-RC2","2.11.0.M5-RC3","2.11.0.M6","2.11.0.M6-RC1","2.11.0.M7","2.11.0.M7-RC1","2.11.0.M8","2.11.0.M8-RC1","2.11.1","2.11.1-RC1","2.11.2","2.11.2-RC1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-34158.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}