Lucene search

GoogleOSV:GHSA-CVQR-MWH6-2VC6

HistoryApr 21, 2024 - 6:30 p.m.

Apache Answer: XSS vulnerability when changing personal website

2024-04-2118:30:36

Google

osv.dev

xss vulnerability

apache answer

personal website

input neutralization

upgrade

security issue

CVSS3

4.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

AI Score

7.2

Confidence

High

EPSS

Percentile

9.0%

JSON

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’/XSS) vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0.

XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack.
Users are recommended to upgrade to version [1.3.0], which fixes the issue.

References

www.openwall.com/lists/oss-security/2024/04/19/1

github.com/apache/incubator-answer

lists.apache.org/thread/nc0g1borr0d3wx25jm39pn7nyf268n0x

nvd.nist.gov/vuln/detail/CVE-2024-29217