CVE-2024-38379

MEDIUM

Apache Allura <1.17.0 - XSS

Title source: llm

Description

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue.

References (2)

[Vendor Advisory] https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp

[Mailing List] http://www.openwall.com/lists/oss-security/2024/06/21/1

Scores

CVSS v3 4.8

EPSS 0.0175

EPSS Percentile 82.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (1)

apache/allura < 1.17.1

Timeline

Published Jun 22, 2024

Tracked Since Feb 18, 2026