CVE-2024-23349

Опубликовано: 22 фев. 2024

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.

XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.

Users are recommended to upgrade to version [1.2.5], which fixes the issue.

Ссылки

http://www.openwall.com/lists/oss-security/2024/02/22/2
Mailing List
Third Party Advisory
https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/22/2
Mailing List
Third Party Advisory
https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg
Mailing List
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

Версия до 1.2.1 (включая)

EPSS

Процентиль: 88%

0.03719

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-8pf2-qj4v-fj64