Sandr0

**Name of the Vulnerable Software and Affected Versions** Apache Archiva versions 2.0.0 and later **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This affects Apache Archiva, a product that is no longer supported by its maintainer. As a result, no fix is planned for this issue. Users are advised to find an alternative or restrict access to the instance to trusted users. An additional mitigation measure is to configure an HTTP proxy in front of the Archiva instance to filter out requests with malicious characters in the URL. **Recommendations** For Apache Archiva versions 2.0.0 and later, consider the following: - Find an alternative to Apache Archiva. - Restrict access to the instance to trusted users. - Configure an HTTP proxy in front of the Archiva instance to only forward requests that do not have malicious characters in the URL. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Archiva (affected versions not specified) **Description** The issue is related to privilege escalation via stored cross-site scripting (XSS) using the file upload service to upload malicious content. This can be exploited by authenticated users who can create directory names to inject XSS content and gain privileges, such as admin user. The vulnerability allows a remote attacker to perform cross-site scripting attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the file upload service until a patch is available. Restrict access to the directory creation feature to minimize the risk of exploitation. Avoid using the file upload service to upload unverified content until the issue is resolved.