Home > Vulnerability Database > CVE-2024-25090

Mend.io Vulnerability Database

CVE-2024-25090

Good to know:

Date: July 26, 2024

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3. This issue affects Apache Roller: from 5.0.0 before 6.1.3. Users are recommended to upgrade to version 6.1.3, which fixes the issue.

Language: Java

Severity Score

5.4

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-25090

Url: https://lists.apache.org/thread/lb50jqyxwf8jrfpydl6dc5zpqtpgrrwd

Url: https://www.mend.io/vulnerability-database/CVE-2024-25090

Severity Score

5.4

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version roller-6.1.3

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-25090

Good to know:

Date: July 26, 2024

Language: Java

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?