CVE-2024-23349 Apache Answer: XSS vulnerability when submitting summary

2024-02-2209:48:20

CWE-79

apache

github.com

cve-2024-23349

apache answer

cross-site scripting

input neutralization

upgrade

AI Score

6.9

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.

XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.

Users are recommended to upgrade to version [1.2.5], which fixes the issue.

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Answer",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "versionType": "semver",
        "lessThanOrEqual": "1.2.1"
      }
    ],
    "defaultStatus": "unaffected"
  }
]