Fluid Attacks Database

Description

Apache NiFi vulnerable to Cross-site Scripting Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.apache.nifi:nifi-web-ui	>=1.10.0 <1.27.0 \|\| >=2.0.0-m1 <2.0.0-m4	1.27.0, 2.0.0-m4

Aliases

1. CVE-2024-373892. NVD-2024-373893. OSV-2024-373894. GCVE-2024-37389

References

1. https://github.com/apache/nifi/pull/89382. https://github.com/apache/nifi/commit/1ea0bc1f7fa90ecff0ceb8b0c91a9aebeb05893b3. https://issues.apache.org/jira/browse/NIFI-133744. https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.