CVE-2023-37581

EPSS 0.51%
Veröffentlicht 06.08.2023 08:15:09
Zuletzt bearbeitet 21.11.2024 08:11:59
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.2 and you should disable Roller's File Upload feature.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Roller Version < 6.1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.651

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://lists.apache.org/thread/n9mjhhlm7z7b7to646tkvf3otkf21flp

Vendor Advisory

Mailing List

Mitigation

https://www.openwall.com/lists/oss-security/2023/08/16/1

https://nvd.nist.gov/vuln/detail/CVE-2023-37581

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-37581

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-37581

EUVD