CVE-2024-25090

Name of the Vulnerable Software and Affected Versions Apache Roller versions 5.0.0 through 6.1.2

Description The issue is caused by insufficient input validation and sanitation in features such as Profile name & screenname, Bookmark name & description, and blogroll name. This allows an authenticated user to perform a cross-site scripting (XSS) attack. The vulnerability can be exploited by a remote attacker to conduct an XSS attack.

Recommendations For Apache Roller versions 5.0.0 through 6.1.2, upgrade to version 6.1.3 to fix the issue. If you do not have Roller configured for untrusted users, no action is required as you trust your users to author raw HTML and other web content. However, if you are running with untrusted users, upgrading to version 6.1.3 is necessary.