Apache · Apache Nifi · CVE-2024-45477
Name of the Vulnerable Software and Affected Versions:
Apache NiFi versions 1.10.0 through 1.27.0
Apache NiFi versions 2.0.0-M1 through 2.0.0-M3
Description:
The vulnerability allows an authenticated user, authorized to configure a Parameter Context, to enter arbitrary JavaScript code in the description field for Parameters. This code will be executed by the client browser within the session context of the authenticated user, enabling cross-site scripting attacks.
Recommendations:
For Apache NiFi versions 1.10.0 through 1.27.0, upgrade to Apache NiFi 1.28.0.
For Apache NiFi versions 2.0.0-M1 through 2.0.0-M3, upgrade to Apache NiFi 2.0.0-M4.