cvelistv5 - cve-2024-38379

CVE-2024-38379 (GCVE-0-2024-38379)

Vulnerability from cvelistv5 – Published: 2024-06-22 09:09 – Updated: 2025-03-19 14:35

Title

Apache Allura: Stored authenticated XSS

Summary

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue.

Severity ?

No CVSS data available.

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/2lb6vp00sj2b2snpm…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Allura	Affected: 1.4.0 , ≤ 1.17.0 (semver)

Credits

Ömer "WASP" Akincir

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.8,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "HIGH",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-38379",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-22T16:26:00.794232Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-19T14:35:10.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-13T16:03:27.951Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2024/06/21/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Allura",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.17.0",
              "status": "affected",
              "version": "1.4.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "\u00d6mer \"WASP\" Akincir "
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\u0026nbsp; Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Apache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\n\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\n\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-22T09:09:32.464Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Allura: Stored authenticated XSS",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-38379",
    "datePublished": "2024-06-22T09:09:32.464Z",
    "dateReserved": "2024-06-14T14:41:30.189Z",
    "dateUpdated": "2025-03-19T14:35:10.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.4.0\", \"versionEndExcluding\": \"1.17.1\", \"matchCriteriaId\": \"855B6563-AFF2-4EE0-99C5-92A15EAD4D6E\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\\n\\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\\n\\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"La configuraci\\u00f3n del vecindario de Apache Allura es vulnerable a un ataque XSS almacenado. Solo los administradores de vecindario pueden acceder a estas configuraciones, por lo que el alcance del riesgo se limita a configuraciones en las que no se conf\\u00eda plenamente en los administradores de vecindario. Este problema afecta a Apache Allura: desde 1.4.0 hasta 1.17.0. Se recomienda a los usuarios actualizar a la versi\\u00f3n 1.17.1, que soluciona el problema.\"}]",
      "id": "CVE-2024-38379",
      "lastModified": "2024-11-21T09:25:32.330",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 2.7}]}",
      "published": "2024-06-22T09:15:09.577",
      "references": "[{\"url\": \"https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp\", \"source\": \"security@apache.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/21/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-38379\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-06-22T09:15:09.577\",\"lastModified\":\"2025-03-19T15:15:47.657\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\\n\\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\\n\\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\\n\\n\"},{\"lang\":\"es\",\"value\":\"La configuraci\u00f3n del vecindario de Apache Allura es vulnerable a un ataque XSS almacenado. Solo los administradores de vecindario pueden acceder a estas configuraciones, por lo que el alcance del riesgo se limita a configuraciones en las que no se conf\u00eda plenamente en los administradores de vecindario. Este problema afecta a Apache Allura: desde 1.4.0 hasta 1.17.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.17.1, que soluciona el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.4.0\",\"versionEndExcluding\":\"1.17.1\",\"matchCriteriaId\":\"855B6563-AFF2-4EE0-99C5-92A15EAD4D6E\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp\",\"source\":\"security@apache.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/06/21/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/21/1\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-09-13T16:03:27.951Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-38379\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-22T16:26:00.794232Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-22T16:26:09.813Z\"}}], \"cna\": {\"title\": \"Apache Allura: Stored authenticated XSS\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"\\u00d6mer \\\"WASP\\\" Akincir \"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Allura\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.4.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.17.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\\n\\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\\n\\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eApache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\u0026nbsp; Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\u003cbr\u003e\u003c/p\u003e\u003cp\u003eThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-06-22T09:09:32.464Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-38379\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-19T14:35:10.998Z\", \"dateReserved\": \"2024-06-14T14:41:30.189Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-06-22T09:09:32.464Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-38379

Vulnerability from fkie_nvd - Published: 2024-06-22 09:15 - Updated: 2025-03-19 15:15

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2024/06/21/1
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp	Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	allura	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:allura:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "855B6563-AFF2-4EE0-99C5-92A15EAD4D6E",
              "versionEndExcluding": "1.17.1",
              "versionStartIncluding": "1.4.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\n\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\n\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.\n\n"
    },
    {
      "lang": "es",
      "value": "La configuraci\u00f3n del vecindario de Apache Allura es vulnerable a un ataque XSS almacenado. Solo los administradores de vecindario pueden acceder a estas configuraciones, por lo que el alcance del riesgo se limita a configuraciones en las que no se conf\u00eda plenamente en los administradores de vecindario. Este problema afecta a Apache Allura: desde 1.4.0 hasta 1.17.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.17.1, que soluciona el problema."
    }
  ],
  "id": "CVE-2024-38379",
  "lastModified": "2025-03-19T15:15:47.657",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-06-22T09:15:09.577",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2024/06/21/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

GHSA-7P4C-C4RQ-7G98

Vulnerability from github – Published: 2024-06-22 09:30 – Updated: 2025-03-19 15:31

Details

This issue affects Apache Allura: from 1.4.0 through 1.17.0.

Users are recommended to upgrade to version 1.17.1, which fixes the issue.

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-38379"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-22T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Apache Allura\u0027s neighborhood settings are vulnerable to a stored XSS attack.\u00a0 Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.\n\nThis issue affects Apache Allura: from 1.4.0 through 1.17.0.\n\nUsers are recommended to upgrade to version 1.17.1, which fixes the issue.",
  "id": "GHSA-7p4c-c4rq-7g98",
  "modified": "2025-03-19T15:31:38Z",
  "published": "2024-06-22T09:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38379"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/06/21/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CNVD-2024-39155

Vulnerability from cnvd - Published: 2024-09-25

Title

Apache Allura跨站脚本漏洞（CNVD-2024-39155）

Description

Apache Allura是美国阿帕奇（Apache）基金会的一套开源项目托管平台。该平台支持管理源代码存储库、错误报告、维基页面和博客等。 Apache Allura 1.4.0版本到1.17.0版本存在跨站脚本漏洞，该漏洞源于应用对用户提供的数据缺乏有效过滤与转义，攻击者可利用该漏洞在受害者的浏览器中执行javascript并获取有关受害者的一些敏感信息。

Severity

中

Patch Name

Apache Allura跨站脚本漏洞（CNVD-2024-39155）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp

Reference

https://nvd.nist.gov/vuln/detail/CVE-2024-38379

Impacted products

Name
Apache Apache Allura >=1.4.0，<=1.17.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-38379",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-38379"
    }
  },
  "description": "Apache Allura\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u9879\u76ee\u6258\u7ba1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u7ba1\u7406\u6e90\u4ee3\u7801\u5b58\u50a8\u5e93\u3001\u9519\u8bef\u62a5\u544a\u3001\u7ef4\u57fa\u9875\u9762\u548c\u535a\u5ba2\u7b49\u3002\n\nApache Allura 1.4.0\u7248\u672c\u52301.17.0\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884cjavascript\u5e76\u83b7\u53d6\u6709\u5173\u53d7\u5bb3\u8005\u7684\u4e00\u4e9b\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-39155",
  "openTime": "2024-09-25",
  "patchDescription": "Apache Allura\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u5957\u5f00\u6e90\u9879\u76ee\u6258\u7ba1\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u652f\u6301\u7ba1\u7406\u6e90\u4ee3\u7801\u5b58\u50a8\u5e93\u3001\u9519\u8bef\u62a5\u544a\u3001\u7ef4\u57fa\u9875\u9762\u548c\u535a\u5ba2\u7b49\u3002\r\n\r\nApache Allura 1.4.0\u7248\u672c\u52301.17.0\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884cjavascript\u5e76\u83b7\u53d6\u6709\u5173\u53d7\u5bb3\u8005\u7684\u4e00\u4e9b\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Allura\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-39155\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache Allura \u003e=1.4.0\uff0c\u003c=1.17.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2024-38379",
  "serverity": "\u4e2d",
  "submitTime": "2024-06-28",
  "title": "Apache Allura\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-39155\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-38379 (GCVE-0-2024-38379)

FKIE_CVE-2024-38379

GHSA-7P4C-C4RQ-7G98

CNVD-2024-39155

Tags

Sightings

Nomenclature