Home > Vulnerability Database > CVE-2024-37389

Mend.io Vulnerability Database

CVE-2024-37389

Good to know:

Date: July 8, 2024

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Language: JS

Severity Score

4.6

Related Resources (8)

Url: https://github.com/apache/nifi/pull/8938

Url: https://github.com/apache/nifi

Url: https://seclists.org/oss-sec/2024/q3/29

Url: https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh

Url: https://issues.apache.org/jira/browse/NIFI-13374

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-37389

Url: https://github.com/apache/nifi/commit/1ea0bc1f7fa90ecff0ceb8b0c91a9aebeb05893b

Url: https://www.mend.io/vulnerability-database/CVE-2024-37389

Severity Score

4.6

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version rel/nifi-1.27.0,rel/nifi-2.0.0-M4

Learn More

CVSS v3.1

Base Score:	4.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-37389

Good to know:

Date: July 8, 2024

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?