6 matches found
CVE-2024-23349
Apache Answer (github.com/apache/incubator-answer) is affected by a Cross-site Scripting (XSS) flaw in the summary field present through version 1.2.1. The root cause is improper neutralization of input during web page generation, enabling a logged-in user to inject malicious code when editing th...
CVE-2024-26578
CVE-2024-26578 describes a race condition in Apache Answer (through 1.2.1) caused by concurrent access to a shared resource during user registration, enabling rapid scripted submissions to create multiple accounts with the same name. The issue is a synchronization flaw that can affect account cre...
CVE-2024-41890
CVE-2024-41890 affects Apache Answer up to version 1.3.5. The root issue is Missing Release of Resource after Effective Lifetime: password reset links issued in succession can remain valid during the link’s validity period, enabling potential misuse or hijacking of a previously issued link. A fix...
CVE-2024-41888
The CVE-2024-41888 issue affects Apache Answer through version 1.3.5, where the password-reset link remains valid after use (not single-use), allowing potential misuse or hijacking. The impact is limited to authentication flow abuse as described; affected components are the password reset mechani...
CVE-2024-40761
Apache Answer contains an Inadequate Encryption Strength vulnerability (through version 1.3.5) where the MD5 hash of a user’s email is used to access Gravatar, risking email leakage. Mitigation: upgrade to version 1.4.0 which switches to SHA-256 per the advisory. Nuclear risk: only disclosed as l...
CVE-2026-34033
CVE-2026-34033 affects Apache Answer up to version 2.0.0. The issue is an HTML content injection (basic XSS) where user-supplied content included in notification emails was not properly escaped, allowing authenticated users to inject arbitrary HTML into emails sent to other users. The CVSS vector...