CVE-2024-37389

MEDIUM

Apache Nifi < 1.27.0 - XSS

Title source: rule

Description

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

References (2)

[Mailing List] https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh

[Mailing List] http://www.openwall.com/lists/oss-security/2024/07/08/1

Scores

CVSS v3 4.6

EPSS 0.0128

EPSS Percentile 79.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (16)

apache/nifi < 1.27.0

apache/nifi

... and 1 more

Timeline

Published Jul 08, 2024

Tracked Since Feb 18, 2026