Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp525754lqt;
        Fri, 19 Apr 2024 03:03:18 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCW4k7w1L1fL6csbb0Fk/StOCHHnfykEJXmRe8DZReaGBqLVM/t6jwzKpgiPWGxL1silHgZH4WqJcQUa0HV5bx6vG9ZI7vwUyGjYi6GEbQ==
X-Google-Smtp-Source: AGHT+IHJ7joeCm6nXrC8efO7LCMv88LHZL3grVig9nnfm+UqfrMVdTokeBkGl4nVN59sq3AUZscJ
X-Received: by 2002:a17:906:ca0d:b0:a52:1432:b790 with SMTP id jt13-20020a170906ca0d00b00a521432b790mr1098146ejb.31.1713520998062;
        Fri, 19 Apr 2024 03:03:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713520998; cv=none;
        d=google.com; s=arc-20160816;
        b=NjEGtA/X0cvPXCqfleC3JRpXvk+lMaaiYeSI0aCOAAY6Q4d6CXh908xKEPHoIVbFx8
         SpCx3M/flge+BGck98Qb9FXkEvz1gt9ku+8usQ+hF44te62NmJcWczYWvdO8u1vfesTc
         CfZjS2pxnrSzH5c9foIa86SmnGju9m/ysNQPfMYxlduRZW8JPCs0vW+24UP+OwuS5RVu
         u4c/67Otr0gf9bK+D5furnIoEyFudLudCScO72E5iaI4l0WUvFzwpDU0Z2uhUgnwXdf6
         zj26nX3ZGJXOzWNo2dBSlu530lPZxG6BEUXFODdrXeXfyx09tdI0QWWnePH0bYu9qEKi
         O9PQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:mime-version:date:content-transfer-encoding:message-id:to
         :from:delivered-to:delivered-to:reply-to:list-id:list-subscribe
         :list-unsubscribe:list-help:list-post:precedence:mailing-list;
        bh=kTmG24WLXRKlwu93OMU63lrSkrCkj8MEAIWV2SF5Jf8=;
        fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=;
        b=nOsxp+y98X71BSxio35tpipRI9tAM+h1a8wTk5OadhbaITH8fIdmHBYasqGk6hRZyh
         eFgVYD/zzhRzn8Tgll14lA5YPhvZKWMxHGVhObVmMZM+XP7NE5sqw810j0oiQjjGki20
         OfoRuuiSH2fRcaJh+Zz1NN2pfnrq1o8C3y03Q/wdoQ0QpFWmvmCcaZLkEl54PjjsZiKV
         Vg5ZiKYjKnyUv+FyBSXPLmvSWOGgdmvKEDf/JPqgFY2+tVBwKJoX98/7HTgJv8QTH3pp
         Lv0OVB/XQw4peNGDO9idpYwi5EiY9mDTgExZkTq27oUS9d1lmwGTEAu1GfUGc0LsFSRc
         RSgA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30053-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30053-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30053-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id o8-20020a170906358800b00a5222712af3si1940116ejb.315.2024.04.19.03.03.17
        for <linux.lists.archive@gmail.com>;
        Fri, 19 Apr 2024 03:03:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30053-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30053-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30053-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 7745 invoked by uid 550); 19 Apr 2024 10:02:56 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 16143 invoked from network); 19 Apr 2024 02:07:57 -0000
Authentication-Results: apache.org; auth=none
Content-Type: text/plain; charset=utf-8
From: Enxin Xie <linkinstar@apache.org>
To: oss-security@lists.openwall.com
Message-ID: <f7354f86-7b55-333d-1dd8-66dca1ea484b@apache.org>
Content-Transfer-Encoding: quoted-printable
Date: Fri, 19 Apr 2024 02:07:48 +0000
MIME-Version: 1.0
Subject: [oss-security] CVE-2024-29217: Apache Answer: XSS vulnerability when changing
 personal website 

Severity: important

Affected versions:

- Apache Answer before 1.3.0

Description:

Improper Neutralization of Input During Web Page Generation ('Cross-site =
Scripting') vulnerability in Apache Answer.This issue affects Apache =
Answer: before 1.3.0.

XSS attack when user changes personal website. A logged-in user, when =
modifying their personal website, can input malicious code in the website =
to create such an attack.
Users are recommended to upgrade to version [1.3.0], which fixes the issue.=


Credit:

Tsubasa Umeuchi (reporter)

References:

https://answer.incubator.apache.org
https://www.cve.org/CVERecord?id=3DCVE-2024-29217