14 matches found
CVE-2025-24859
CVE-2025-24859 affects Apache Roller
CVE-2019-0234
Summary: CVE-2019-0234 is a reflected XSS in Apache Roller caused by Roller's Math Comment Authenticator not properly sanitizing input. Affected versions include Roller 5.2.1–5.2.2 (and related 5.2.x builds) prior to 5.2.3. Impact: attacker-controlled input could trigger reflected XSS. Mitigation...
CVE-2018-17198
CVE-2018-17198 describes a Server-Side Request Forgery (SSRF) and File Enumeration flaw in Apache Roller 5.2.1, 5.2.0 and earlier . The issue arises because the Java SAX Parser used for the XML-RPC interface allows external entities in XML DOCTYPE by default, enabling SSRF/File Enumeration even w...
CVE-2013-4212
Apache Roller
CVE-2024-25090
Apache Roller is affected by a cross-site scripting (XSS) vulnerability due to insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description, and blogroll name fields across versions 5.0.0 to 6.1.2. The issue can be exploited by an authenticated user to pe...
CVE-2014-0030
Apache Roller prior to 5.0.3 is vulnerable to XML External Entity (XXE) attacks via its XML-RPC protocol support. The issue allows an attacker to trigger XXE and read sensitive files (File Disclosure). Affected component: XML-RPC/XML processing in Roller; root cause: XXE in XML parsing. Exploitat...
CVE-2023-37581
CVE-2023-37581 affects Apache Roller (multi-user blogging platform). The vulnerability arises from insufficient input validation and sanitation in the Weblog Category name, Website About, and File Upload features, allowing an authenticated user to perform a Cross-Site Scripting (XSS) attack. Impa...
CVE-2008-6879
CVE-2008-6879 affects Apache Roller 2.3, 3.0, 3.1, and 4.0. The vulnerability is a Cross-Site Scripting (XSS) flaw caused by insufficient sanitization of the q parameter in search actions, allowing injection of arbitrary web script/HTML. Concrete details available in connected docs include produc...
CVE-2012-2380
CVE-2012-2380 affects the Apache Roller project, specifically the admin/editor console. The issue is that HTTP POST interfaces in the Roller admin/editor console were not protected against CSRF, allowing remote attackers to hijack admin/editor authentication. Affected versions include Roller 4.0....
CVE-2015-0249
The CVE-2015-0249 entry concerns Apache Roller versions 5.1 through 5.1.1. The vulnerability arises in the weblog page template, where remote authenticated users with weblog admin privileges can execute arbitrary Java code via a crafted Velocity Template Language (VTL). Root cause is the unsafe h...
CVE-2024-46911
Apache Roller contains a Cross-site Resource Forgery (CSRF) and privilege escalation vulnerability affecting versions prior to 6.1.4. On multi-blog/user Roller websites, weblog owners are trusted to publish content by default, and Roller's CSRF protections are insufficient, enabling privilege esc...
CVE-2021-33580
Apache Roller suffers a vulnerability where user-controlled inputs from Referer, Request URL, and QueryString are used to build and execute a regex, enabling regular-expression DoS (ReDoS) via catastrophic backtracking on the server. Impact described as availability issues; fixed in Roller 6.0.2....
CVE-2012-2381
Apache Roller exposes multiple XSS vulnerabilities in versions prior to 5.0.1 via untrusted blogger content. Affected: Roller 4.0.0–4.0.1, Roller 5.0, and even the unsupported Roller 3.1. The issue stems from letting bloggers post HTML/JavaScript; an upgrade path recommended by sources is Roller ...
CVE-2013-4171
Apache Roller is affected by multiple XSS vulnerabilities in the search results templates for RSS/Atom feeds, affecting versions before 5.0.2. The issue allows remote attackers to inject arbitrary scripts/HTML. A fix is available in Roller 5.0.2 (vendor patch). If exploitation details are not dis...