CVE-2023-49145 — Cross-site Scripting in Apache Nifi

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

5.4MEDIUMNVD

CNA7.9

EPSS

0.3%

top 47.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedNov 27

Latest updateNov 28

Description

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/nifi0.7.0 — 1.24.0

▶CVEListV5apache_software_foundation/apache_nifi0.7.0 — 1.23.2

🔴Vulnerability Details

GHSA

Improper Neutralization of Input in Advanced User Interface for Jolt↗2023-11-28

▶

OSV

Improper Neutralization of Input in Advanced User Interface for Jolt↗2023-11-28

▶

CVEList

Apache NiFi: Improper Neutralization of Input in Advanced User Interface for Jolt↗2023-11-27

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2023-49145↗

▶