CVE-2024-23349

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack. Users are recommended to upgrade to version [1.2.5], which fixes the issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/02/22/2	Mailing List Third Party Advisory
https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/02/22/2	Mailing List Third Party Advisory
https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-02-22 10:15

Updated : 2025-03-28 20:15

NVD link : CVE-2024-23349

Mitre link : CVE-2024-23349

CVE.ORG link : CVE-2024-23349

JSON object : View

Products Affected

apache

answer

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-23349", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-02-22T10:15:08.427", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/02/22/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg", "tags": ["Mailing List", "Vendor Advisory"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/22/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.\n\nXSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.\n\nUsers are recommended to upgrade to version [1.2.5], which fixes the issue."}, {"lang": "es", "value": "Neutralizaci\u00f3n inadecuada de la entrada durante la vulnerabilidad de generaci\u00f3n de p\u00e1ginas web ('cross-site Scripting') en Apache Answer. Este problema afecta a Apache Answer: hasta 1.2.1. Ataque XSS cuando el usuario ingresa un resumen. Un usuario que haya iniciado sesi\u00f3n, al modificar su propia pregunta enviada, puede ingresar c\u00f3digo malicioso en el resumen para crear dicho ataque. Se recomienda a los usuarios actualizar a la versi\u00f3n [1.2.5], que soluciona el problema."}], "lastModified": "2025-03-28T20:15:21.263", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F977E6DB-B10B-4AC2-BD22-EA5F228989A9", "versionEndIncluding": "1.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}