CVE-2024-23349 Apache Answer: XSS vulnerability when submitting summary

2024-02-2209:48:20

CWE-79

apache

www.cve.org

apache answer

xss vulnerability

cve-2024-23349

web page generation

cross-site scripting

input neutralization

upgrade

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.

XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.

Users are recommended to upgrade to version [1.2.5], which fixes the issue.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Answer",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "1.2.1",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]