CVE-2024-53679

MEDIUM

Apache Vcl < 2.5.2 - XSS

Title source: rule

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights. This issue affects all versions of Apache VCL through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue.

References (2)

[Issue Tracking, Mailing List, Vendor Advisory] https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/03/24/2

Scores

CVSS v3 5.4

EPSS 0.0008

EPSS Percentile 24.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (1)

apache/vcl < 2.5.2

Timeline

Published Mar 25, 2025

Tracked Since Feb 18, 2026