CVE-2018-17193
published 2018-12-19CVE-2018-17193: The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack…
medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
The message-page.jsp error page used the value of the HTTP request header X-ProxyContextPath without sanitization, resulting in a reflected XSS attack. Mitigation: The fix to correctly parse and sanitize the request attribute value was applied on the Apache NiFi 1.8.0 release. Users running a prior 1.x release should upgrade to the appropriate release.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | nifi | — | — |
| apache | nifi | 1.0.0 – 1.7.1 | — |
| apache_software_foundation | apache_nifi | — | — |