Lucene search

GitHub Advisory DatabaseGHSA-CVQR-MWH6-2VC6

HistoryApr 21, 2024 - 6:30 p.m.

Apache Answer: XSS vulnerability when changing personal website

2024-04-2118:30:36

CWE-79

GitHub Advisory Database

github.com

apache answer

xss vulnerability

personal website

upgrade

software

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

AI Score

7.2

Confidence

High

EPSS

Percentile

9.0%

JSON

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’/XSS) vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0.

XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack.
Users are recommended to upgrade to version [1.3.0], which fixes the issue.

Affected configurations

Vulners

Node

apacheanswerRange<1.3.0

VendorProductVersionCPE
apacheanswer*cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	answer	*	cpe:2.3:a:apache:answer::::::::

References

www.openwall.com/lists/oss-security/2024/04/19/1

github.com/advisories/GHSA-cvqr-mwh6-2vc6

lists.apache.org/thread/nc0g1borr0d3wx25jm39pn7nyf268n0x

nvd.nist.gov/vuln/detail/CVE-2024-29217