CVE-2024-46911

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-46911
Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4. Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue. Roller 6.1.4 release announcement:  https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/6m0ghjo9j92qty00t2qb6qf2spds0p5t Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/10/12/1 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*
History

27 May 2025, 19:37

Type Values Removed Values Added
References () https://lists.apache.org/thread/6m0ghjo9j92qty00t2qb6qf2spds0p5t - () https://lists.apache.org/thread/6m0ghjo9j92qty00t2qb6qf2spds0p5t - Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2024/10/12/1 - () http://www.openwall.com/lists/oss-security/2024/10/12/1 - Mailing List, Third Party Advisory
First Time Apache
Apache roller
CPE cpe:2.3:a:apache:roller:*:*:*:*:*:*:*:*

21 Nov 2024, 09:39

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/10/12/1 -

01 Nov 2024, 17:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.7

15 Oct 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de escalada de privilegios por Cross-site Resource Forgery (CSRF) en Apache Roller. En los sitios web de Roller con varios blogs y usuarios, por defecto, se confía en los propietarios de los blogs para que publiquen contenido arbitrario en los blogs y esto, combinado con una deficiencia en las protecciones CSRF de Roller, permitió un ataque de escalada de privilegios. Este problema afecta a Apache Roller anterior a la versión 6.1.4. Se recomienda a los usuarios de Roller que ejecutan sitios web de Roller con varios blogs y usuarios que actualicen a la versión 6.1.4, que soluciona el problema. Anuncio de lanzamiento de Roller 6.1.4: https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw

14 Oct 2024, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-14 09:15

Updated : 2025-05-27 19:37

NVD link : CVE-2024-46911

Mitre link : CVE-2024-46911

CVE.ORG link : CVE-2024-46911

JSON object : View

Products Affected

apache

  • roller
CWE
CWE-352

Cross-Site Request Forgery (CSRF)