Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.
This issue affects Apache Allura: from 1.4.0 through 1.17.0.
Users are recommended to upgrade to version 1.17.1, which fixes the issue.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp | Vendor Advisory |
http://www.openwall.com/lists/oss-security/2024/06/21/1 | |
https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp | Vendor Advisory |
Configurations
History
21 Nov 2024, 09:25
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | () https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp - Vendor Advisory |
19 Sep 2024, 16:46
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:* | |
First Time |
Apache
Apache allura |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
References | () https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp - Vendor Advisory |
24 Jun 2024, 12:57
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
22 Jun 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-22 09:15
Updated : 2024-11-21 09:25
NVD link : CVE-2024-38379
Mitre link : CVE-2024-38379
CVE.ORG link : CVE-2024-38379
JSON object : View
Products Affected
apache
- allura
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')