CVE-2023-28158

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
5.4MEDIUM
EPSS
0.3%
top 45.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache ArchivaApache Archiva
Timeline
PublishedMar 29

Description

Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:LExploitability: 2.3 | Impact: 3.7

Affected Packages3 packages

NVDapache/archiva2.02.2.10
Mavenorg.apache.archiva:archiva2.0.02.2.10

🔴Vulnerability Details

3
CVEList
Apache Archiva privilege escalation2023-03-29
GHSA
Apache Archiva vulnerable to privilege escalation via stored cross-site scripting (XSS)2023-03-29
OSV
Apache Archiva vulnerable to privilege escalation via stored cross-site scripting (XSS)2023-03-29
CVE-2023-28158 (MEDIUM CVSS 5.4) | Privilege escalation via stored XSS | cvebase.io