Lucene search
+L

9 matches found

CVE
CVE
added 2024/02/22 9:48 a.m.6662 views

CVE-2024-23349

Apache Answer (github.com/apache/incubator-answer) is affected by a Cross-site Scripting (XSS) flaw in the summary field present through version 1.2.1. The root cause is improper neutralization of input during web page generation, enabling a logged-in user to inject malicious code when editing th...

5.4CVSS6.7AI score0.01073EPSS
CVE
CVE
added 2024/02/22 9:28 a.m.6632 views

CVE-2024-26578

CVE-2024-26578 describes a race condition in Apache Answer (through 1.2.1) caused by concurrent access to a shared resource during user registration, enabling rapid scripted submissions to create multiple accounts with the same name. The issue is a synchronization flaw that can affect account cre...

5.9CVSS5.7AI score0.00895EPSS
CVE
CVE
added 2024/02/22 9:51 a.m.3856 views

CVE-2024-22393

The CVE-2024-22393 issue affects Apache Answer up to version 1.2.1 and enables a pixel-flood DoS by uploading large image files. A logged-in user can trigger memory exhaustion, leading to a server DoS. Remediation is to upgrade to version 1.2.5 (or later). Multiple sources (NVD, Red Hat, CNVD, Ve...

9.1CVSS9.2AI score0.0248EPSS
CVE
CVE
added 2024/08/09 2:53 p.m.76 views

CVE-2024-41890

CVE-2024-41890 affects Apache Answer up to version 1.3.5. The root issue is Missing Release of Resource after Effective Lifetime: password reset links issued in succession can remain valid during the link’s validity period, enabling potential misuse or hijacking of a previously issued link. A fix...

5.3CVSS6.7AI score0.01149EPSS
CVE
CVE
added 2024/04/21 4:4 p.m.74 views

CVE-2024-29217

CVE-2024-29217 concerns the Apache Answer project, with an XSS vulnerability caused by improper neutralization of input during web page generation. The issue affects Apache Answer prior to version 1.3.0 and can be triggered when a logged-in user edits their personal website, allowing injection of...

4.6CVSS4.7AI score0.00966EPSS
CVE
CVE
added 2024/11/22 2:36 p.m.70 views

CVE-2024-45719

CVE-2024-45719 concerns Apache Answer with an Inadequate Encryption Strength vulnerability affecting versions up to 1.4.0. The issue is that IDs generated using UUID v1 can be predictable, reducing token security. The recommended fix is upgrade to version 1.4.1, which closes the flaw. Connected s...

2.6CVSS3.7AI score0.00229EPSS
CVE
CVE
added 2024/08/09 2:55 p.m.64 views

CVE-2024-41888

The CVE-2024-41888 issue affects Apache Answer through version 1.3.5, where the password-reset link remains valid after use (not single-use), allowing potential misuse or hijacking. The impact is limited to authentication flow abuse as described; affected components are the password reset mechani...

5.3CVSS6.7AI score0.01222EPSS
CVE
CVE
added 2024/01/10 8:25 a.m.63 views

CVE-2023-49619

CVE-2023-49619 concerns Apache Answer. A race condition arises from concurrent submissions that manipulate the bookmark/collection count for a question, allowing repeated submissions (e.g., via a script) to increase the number of collections beyond normal limits. Affected versions are Apache Answ...

3.1CVSS4.1AI score0.00891EPSS
CVE
CVE
added 2024/09/25 7:31 a.m.57 views

CVE-2024-40761

Apache Answer contains an Inadequate Encryption Strength vulnerability (through version 1.3.5) where the MD5 hash of a user’s email is used to access Gravatar, risking email leakage. Mitigation: upgrade to version 1.4.0 which switches to SHA-256 per the advisory. Nuclear risk: only disclosed as l...

5.3CVSS5.3AI score0.00749EPSS