CVE-2024-37389

MEDIUM

Apache NiFi 1.10.0-1.26.0 & 2.0.0-M1-M3 - Authenticated Stored XSS in Parameter Context Description

Title source: llm

Description

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

References (2)

Core 2

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/07/08/1

Mailing List vendor-advisory

https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh

Scores

CVSS v3 4.6

EPSS 0.0171

EPSS Percentile 82.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

apache/nifi 2.0.0 milestone1 (14 CPE variants)

apache/nifi 1.10.0 - 1.27.0

org.apache.nifi/nifi-web-ui 1.10.0 - 1.27.0Maven

Published Jul 08, 2024

Tracked Since Feb 18, 2026