CVE-2024-29217

2024-04-2116:15:47

CWE-79

apache

web.nvd.nist.gov

cve-2024-29217

cross-site scripting

apache answer

upgrade recommendation

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

AI Score

6.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0.

XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack.
Users are recommended to upgrade to version [1.3.0], which fixes the issue.

Affected configurations

Vulners

Node

apacheanswerRange≤1.3.0

VendorProductVersionCPE
apacheanswer*cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	answer	*	cpe:2.3:a:apache:answer::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Answer",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "1.3.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]