CVE-2024-37389
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
08/07/2024
Last modified:
11/07/2024
Description
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:* | 1.10.0 (including) | 1.27.0 (excluding) |
| cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc4:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc5:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone1-rc6:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc2:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc3:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone2-rc4:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:nifi:2.0.0:milestone3-rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page