9 matches found
CVE-2024-23349
Apache Answer (github.com/apache/incubator-answer) is affected by a Cross-site Scripting (XSS) flaw in the summary field present through version 1.2.1. The root cause is improper neutralization of input during web page generation, enabling a logged-in user to inject malicious code when editing th...
CVE-2024-26578
CVE-2024-26578 describes a race condition in Apache Answer (through 1.2.1) caused by concurrent access to a shared resource during user registration, enabling rapid scripted submissions to create multiple accounts with the same name. The issue is a synchronization flaw that can affect account cre...
CVE-2024-22393
The CVE-2024-22393 issue affects Apache Answer up to version 1.2.1 and enables a pixel-flood DoS by uploading large image files. A logged-in user can trigger memory exhaustion, leading to a server DoS. Remediation is to upgrade to version 1.2.5 (or later). Multiple sources (NVD, Red Hat, CNVD, Ve...
CVE-2024-41890
CVE-2024-41890 affects Apache Answer up to version 1.3.5. The root issue is Missing Release of Resource after Effective Lifetime: password reset links issued in succession can remain valid during the link’s validity period, enabling potential misuse or hijacking of a previously issued link. A fix...
CVE-2024-29217
CVE-2024-29217 concerns the Apache Answer project, with an XSS vulnerability caused by improper neutralization of input during web page generation. The issue affects Apache Answer prior to version 1.3.0 and can be triggered when a logged-in user edits their personal website, allowing injection of...
CVE-2024-45719
CVE-2024-45719 concerns Apache Answer with an Inadequate Encryption Strength vulnerability affecting versions up to 1.4.0. The issue is that IDs generated using UUID v1 can be predictable, reducing token security. The recommended fix is upgrade to version 1.4.1, which closes the flaw. Connected s...
CVE-2024-41888
The CVE-2024-41888 issue affects Apache Answer through version 1.3.5, where the password-reset link remains valid after use (not single-use), allowing potential misuse or hijacking. The impact is limited to authentication flow abuse as described; affected components are the password reset mechani...
CVE-2023-49619
CVE-2023-49619 concerns Apache Answer. A race condition arises from concurrent submissions that manipulate the bookmark/collection count for a question, allowing repeated submissions (e.g., via a script) to increase the number of collections beyond normal limits. Affected versions are Apache Answ...
CVE-2024-40761
Apache Answer contains an Inadequate Encryption Strength vulnerability (through version 1.3.5) where the MD5 hash of a user’s email is used to access Gravatar, risking email leakage. Mitigation: upgrade to version 1.4.0 which switches to SHA-256 per the advisory. Nuclear risk: only disclosed as l...