Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
Metrics
Affected Vendors & Products
References
History
Fri, 08 Nov 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Apache
Apache nifi |
|
CPEs | cpe:2.3:a:apache:nifi:*:*:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone1:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone2:*:*:*:*:*:* cpe:2.3:a:apache:nifi:2.0.0:milestone3:*:*:*:*:*:* |
|
Vendors & Products |
Apache
Apache nifi |
Tue, 29 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 29 Oct 2024 09:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation. | |
Title | Apache NiFi: Improper Neutralization of Input in Parameter Description | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-10-29T09:00:08.387Z
Updated: 2024-10-29T14:51:54.639Z
Reserved: 2024-08-29T13:22:14.173Z
Link: CVE-2024-45477
Vulnrichment
Updated: 2024-10-29T09:03:21.719Z
NVD
Status : Analyzed
Published: 2024-10-29T09:15:07.053
Modified: 2024-11-08T15:03:57.873
Link: CVE-2024-45477
Redhat
No data.