Lucene search

GitHub Advisory DatabaseGHSA-8PF2-QJ4V-FJ64

HistoryFeb 22, 2024 - 12:30 p.m.

Apache Answer Cross-site Scripting vulnerability

2024-02-2212:30:56

CWE-79

GitHub Advisory Database

github.com

apache answer

cross-site scripting

vulnerability

upgrade

version 1.2.5

software

input validation

AI Score

7.2

Confidence

High

EPSS

Percentile

9.0%

JSON

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Answer. This issue affects Apache Answer through 1.2.1.

XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.

Users are recommended to upgrade to version 1.2.5, which fixes the issue.

Affected configurations

Vulners

Node

apacheanswerRange<1.2.5

VendorProductVersionCPE
apacheanswer*cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	answer	*	cpe:2.3:a:apache:answer::::::::

References

www.openwall.com/lists/oss-security/2024/02/22/2

github.com/advisories/GHSA-8pf2-qj4v-fj64

lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg

nvd.nist.gov/vuln/detail/CVE-2024-23349