CVE-2019-0234 - OpenCVE

A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of Roller, which is now Roller 5.2.3.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Roller

Configuration 1 [-]

OR	cpe:2.3:a:apache:roller:5.2.0:::::::*
	cpe:2.3:a:apache:roller:5.2.1:::::::*
	cpe:2.3:a:apache:roller:5.2.2:::::::*

References

Link	Resource
https://lists.apache.org/thread.html/26cdef3fa8a8fa7fcbb99320aa860836ead124b414c654a4d12674cf%40%3Cdev.roller.apache.org%3E
https://lists.apache.org/thread.html/r81a61626d03a11e610c4fbf641f19a6075a0d082906388826829663d%40%3Cuser.roller.apache.org%3E

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2019-07-15T21:13:14

Updated: 2021-08-30T20:06:12

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0234

JSON object: View

NVD Information

Status : Modified

Published: 2019-07-15T22:15:12.133

Modified: 2023-11-07T03:01:53.330

Link: CVE-2019-0234

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "Apache Roller", "vendor": "Apache", "versions": [{"status": "affected", "version": "Roller 5.2"}, {"status": "affected", "version": "5.2.1"}, {"status": "affected", "version": "5.2.2. The unsupported pre-Roller 5.1 versions may also be affected."}]}], "datePublic": "2019-07-11T00:00:00", "descriptions": [{"lang": "en", "value": "A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of Roller, which is now Roller 5.2.3."}], "problemTypes": [{"descriptions": [{"description": "Information Disclosure", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-08-30T20:06:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://lists.apache.org/thread.html/26cdef3fa8a8fa7fcbb99320aa860836ead124b414c654a4d12674cf%40%3Cdev.roller.apache.org%3E"}, {"name": "[roller-user] 20210830 Fwd: [CVE-2019-0234] Reflected Cross-site Scripting (XSS) Vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r81a61626d03a11e610c4fbf641f19a6075a0d082906388826829663d%40%3Cuser.roller.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-0234", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Roller", "version": {"version_data": [{"version_value": "Roller 5.2"}, {"version_value": "5.2.1"}, {"version_value": "5.2.2. The unsupported pre-Roller 5.1 versions may also be affected."}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of Roller, which is now Roller 5.2.3."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Information Disclosure"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/26cdef3fa8a8fa7fcbb99320aa860836ead124b414c654a4d12674cf@%3Cdev.roller.apache.org%3E", "refsource": "CONFIRM", "url": "https://lists.apache.org/thread.html/26cdef3fa8a8fa7fcbb99320aa860836ead124b414c654a4d12674cf@%3Cdev.roller.apache.org%3E"}, {"name": "[roller-user] 20210830 Fwd: [CVE-2019-0234] Reflected Cross-site Scripting (XSS) Vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r81a61626d03a11e610c4fbf641f19a6075a0d082906388826829663d@%3Cuser.roller.apache.org%3E"}]}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-0234", "datePublished": "2019-07-15T21:13:14", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2021-08-30T20:06:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:roller:5.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "CAF420A0-DEED-45B0-AF7C-33AB0D6E2552", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:roller:5.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "92C690A2-4772-493E-8220-133E12692AC9", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:roller:5.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "C8F7FE79-D2AC-45C2-A58D-0228B0300682", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of Roller, which is now Roller 5.2.3."}, {"lang": "es", "value": "Existe una vulnerabilidad de tipo Cross-site Scripting (XSS) Reflejado en Apache Roller. El autenticador de comentarios matem\u00e1ticos de Roller no ten\u00eda la propiedad de sanear las entradas del usuario y podr\u00eda ser explotado para realizar una ataque Cross-site Scripting (XSS) Reflejado. La mitigaci\u00f3n de esta vulnerabilidad es actualizar a la \u00faltima versi\u00f3n de Roller, que ahora es Roller versi\u00f3n 5.2.3."}], "id": "CVE-2019-0234", "lastModified": "2023-11-07T03:01:53.330", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-15T22:15:12.133", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/26cdef3fa8a8fa7fcbb99320aa860836ead124b414c654a4d12674cf%40%3Cdev.roller.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r81a61626d03a11e610c4fbf641f19a6075a0d082906388826829663d%40%3Cuser.roller.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}