CVE-2024-23349: Apache Answer Cross-site Scripting vulnerability

February 22, 2024 (updated December 11, 2024)

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Answer. This issue affects Apache Answer through 1.2.1.

XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.

Users are recommended to upgrade to version 1.2.5, which fixes the issue.

References

github.com/advisories/GHSA-8pf2-qj4v-fj64
github.com/apache/incubator-answer
lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqg
nvd.nist.gov/vuln/detail/CVE-2024-23349

Detect and mitigate CVE-2024-23349 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →