CVE-2024-45477

CWE-79 — Cross-site Scripting (XSS)5 documents5 sources

Severity

4.6MEDIUM

EPSS

1.3%

top 20.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Nifi Apache Nifi

Timeline

PublishedOct 29

Description

Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 2.1 | Impact: 2.5

Affected Packages3 packages

▶Mavenorg.apache.nifi:nifi-web-ui1.10.0 — 1.28.0+1

▶NVDapache/nifi1.10.0 — 1.27.0+1

▶CVEListV5apache_software_foundation/apache_nifi1.10.0 — 1.27.0+1

🔴Vulnerability Details

OSV

Apache NiFi Cross-site Scripting vulnerability↗2024-10-29

▶

CVEList

Apache NiFi: Improper Neutralization of Input in Parameter Description↗2024-10-29

▶

GHSA

Apache NiFi Cross-site Scripting vulnerability↗2024-10-29

▶

📋Vendor Advisories

Apache

Apache nifi: CVE-2024-45477↗

▶