CVE-2024-29217

CWE-79 — Cross-site Scripting (XSS)CWE-284 — Improper Access Control CWE-327 — Broken Cryptographic Algorithm CWE-3478 documents5 sources

Severity

4.6MEDIUM

EPSS

0.4%

top 40.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Answer Github.com Apache/incubator-answer Apache Answer

Timeline

PublishedApr 21

Latest updateJun 9

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0. XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack. Users are recommended to upgrade to version [1.3.0], which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:LExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶NVDapache/answer< 1.3.0

▶Gogithub.com/apache/incubator-answer< 1.3.0

▶CVEListV5apache_software_foundation/apache_answer< 1.3.0

🔴Vulnerability Details

GHSA

Authlib has algorithm confusion with asymmetric public keys↗2024-06-09

▶

OSV

XSS vulnerability via personal website in github.com/apache/incubator-answer↗2024-04-26

▶

GHSA

python-jose algorithm confusion with OpenSSH ECDSA keys↗2024-04-26

▶

OSV

Apache Answer: XSS vulnerability when changing personal website↗2024-04-21

▶

CVEList

Apache Answer: XSS vulnerability when changing personal website↗2024-04-21

▶

📋Vendor Advisories

Red Hat

python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats↗2024-04-26

▶