CVE-2024-25090

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3. This issue affects Apache Roller: from 5.0.0 before 6.1.3. Users are recommended to upgrade to version 6.1.3, which fixes the issue.
References
Link Resource
https://lists.apache.org/thread/lb50jqyxwf8jrfpydl6dc5zpqtpgrrwd Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*

History

16 Aug 2024, 17:56

Type Values Removed Values Added
CPE cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
References () https://lists.apache.org/thread/lb50jqyxwf8jrfpydl6dc5zpqtpgrrwd - () https://lists.apache.org/thread/lb50jqyxwf8jrfpydl6dc5zpqtpgrrwd - Mailing List, Vendor Advisory
First Time Apache
Apache roller

26 Jul 2024, 12:38

Type Values Removed Values Added
Summary
  • (es) La validación de entrada y sanitización insuficientes de las funciones Profile name & screenname, Bookmark name & description and blogroll name en todas las versiones de Apache Roller en todas las plataformas permite que un usuario autenticado realice un ataque de XSS. Mitigación: si no tiene Roller configurado para usuarios no confiables, entonces no necesita hacer nada porque confía en que sus usuarios creen HTML sin formato y otro contenido web. Si está ejecutando con usuarios no confiables, entonces debe actualizar a Roller 6.1.3. Este problema afecta a Apache Roller: desde 5.0.0 hasta 6.1.3. Se recomienda a los usuarios que actualicen a la versión 6.1.3, que soluciona el problema.

26 Jul 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-26 09:15

Updated : 2024-08-16 17:56


NVD link : CVE-2024-25090

Mitre link : CVE-2024-25090

CVE.ORG link : CVE-2024-25090


JSON object : View

Products Affected

apache

  • roller
CWE
CWE-20

Improper Input Validation

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')