CVE-2024-46911

CWE-352 — Cross-Site Request Forgery (CSRF)3 documents3 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 76.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Roller Apache Roller

Timeline

PublishedOct 14

Description

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4. Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue. Roller 6.1.4 release an…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 1.2 | Impact: 3.4

Affected Packages2 packages

▶NVDapache/roller1.0 — 6.1.4

▶CVEListV5apache_software_foundation/apache_roller1.0.0 — 6.1.4

🔴Vulnerability Details

CVEList

Apache Roller: Weakness in CSRF protection allows privilege escalation↗2024-10-14

▶

GHSA

GHSA-m3gr-45jc-g2rp: Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller↗2024-10-14

▶