CVE-2019-0213
MEDIUMApache Archiva < 2.2.4 - Stored Cross-Site Scripting via Logo URL Configuration
Title source: llmDescription
In Apache Archiva before 2.2.4, it may be possible to store malicious XSS code into central configuration entries, i.e. the logo URL. The vulnerability is considered as minor risk, as only users with admin role can change the configuration, or the communication between the browser and the Archiva server must be compromised.
References (9)
Core 9
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/47
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/c358754a35473a61477f9d487870581a0dd7054ff95974628fa09f97%40%3Cusers.maven.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/0397ddbd17b5257cc1746b31a07294a87221c5ca24e5d19d390e28f3%40%3Cusers.archiva.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/04/30/7
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152681/Apache-Archiva-2.2.3-Cross-Site-Scripting.html
Vendor Advisory x_refsource_misc
http://archiva.apache.org/security.html#CVE-2019-0213
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ada0052409d8a4a8c4eb2c7fd6b9cd9423bc753d5fce87eb826662fb%40%3Cissues.archiva.apache.org%3E
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/108123
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/7bcea134c3d6fa72cdc1052922ac0914f399f63f4690b7937b80127d%40%3Cannounce.apache.org%3E
Scores
CVSS v3
6.5
EPSS
0.0058
EPSS Percentile
69.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-79
Status
published
Products (2)
apache/archiva
< 2.2.4
org.apache.archiva/archiva
0 - 2.2.4Maven
Published
Apr 30, 2019
Tracked Since
Feb 18, 2026