CVE-2024-37389

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

5.4MEDIUM

EPSS

1.3%

top 20.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Nifi Apache Software Foundation Apache Nifi

Timeline

PublishedJul 8

Description

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶NVDapache/nifi1.10.0 — 1.27.0+1

▶Mavenorg.apache.nifi:nifi-web-ui1.10.0 — 1.27.0+1

▶CVEListV5apache_software_foundation/apache_nifi1.10.0 — 1.26.0+1

🔴Vulnerability Details

GHSA

Apache NiFi vulnerable to Cross-site Scripting↗2024-07-08

▶

OSV

Apache NiFi vulnerable to Cross-site Scripting↗2024-07-08

▶

CVEList

Apache NiFi: Improper Neutralization of Input in Parameter Context Description↗2024-07-08

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2024-37389↗

▶