PT-2024-27515 · Apache · Apache Nifi

Akbar Kustirama

Published

2024-07-07

Updated

2024-07-11

CVE-2024-37389

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache NiFi versions 1.10.0 through 1.26.0 Apache NiFi versions 2.0.0-M1 through 2.0.0-M3

Description The vulnerability concerns a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user.

Recommendations For Apache NiFi versions 1.10.0 through 1.26.0, upgrade to Apache NiFi 1.27.0. For Apache NiFi versions 2.0.0-M1 through 2.0.0-M3, upgrade to Apache NiFi 2.0.0-M4.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2024-37389

GHSA-H658-QQV9-QWV8

Affected Products

Apache Nifi

PT-2024-27515 · Apache · Apache Nifi

CVE-2024-37389

Weakness Enumeration

Related Identifiers

Affected Products

References · 18