PT-2024-27969 · Apache · Apache Allura
Ömer Akincir
+1
·
Published
2024-06-21
·
Updated
2024-09-19
·
CVE-2024-38379
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Allura versions 1.4.0 through 1.17.0
Description
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.
Recommendations
For Apache Allura versions 1.4.0 through 1.17.0, upgrade to version 1.17.1, which fixes the issue. As a temporary workaround, consider restricting access to the neighborhood settings for untrusted neighborhood admins until the upgrade is applied.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Allura