CVE-2023-49145

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 0.7.0 through 1.23.2

Description The issue is related to the JoltTransformJSON Processor in Apache NiFi, which provides an advanced configuration user interface vulnerable to DOM-based cross-site scripting. If an authenticated user visits a crafted URL, arbitrary JavaScript code can be executed within the session context of the authenticated user.

Recommendations For Apache NiFi versions 0.7.0 through 1.23.2, upgrade to Apache NiFi 1.24.0 or 2.0.0-M1 to mitigate the issue. As a temporary workaround, consider restricting access to the JoltTransformJSON Processor for authenticated users until the upgrade is applied.