CVE-2024-53679Cross-site Scripting in Apache VCL

CWE-79Cross-site Scripting3 documents3 sources
Severity
8.4HIGHNVD
EPSS
0.1%
top 75.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache VCLApache Software Foundation Apache VCL
Timeline
PublishedMar 25

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights. This issue affects all versions of Apache VCL through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDapache/vcl2.12.5.2
CVEListV5apache_software_foundation/apache_vcl2.12.5.1

🔴Vulnerability Details

2
GHSA
GHSA-92pj-xr28-j7xr: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form2025-03-25
CVEList
Apache VCL: XSS vulnerability in User Lookup impacting user privileges2025-03-25
CVE-2024-53679 — Cross-site Scripting in Apache VCL | cvebase