CVE-2024-38379

2024-06-2209:15:09

CWE-79

[email protected]

web.nvd.nist.gov

apache allura

neighborhood settings

xss attack

limited risk

admins

upgrade

cve-2024-38379

5.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Apache Allura’s neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.

This issue affects Apache Allura: from 1.4.0 through 1.17.0.

Users are recommended to upgrade to version 1.17.1, which fixes the issue.

Affected configurations

Vulners

Node

apache_software_foundationapache_jspwikiRange≤1.17.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Allura",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.17.0",
        "status": "affected",
        "version": "1.4.0",
        "versionType": "semver"
      }
    ]
  }
]

References

lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp