Severity
Medium
Analysis Summary
CVE-2024-27136 CVSS:6.1
Apache JSPWiki is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Upload page. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2024-29868 CVSS:7.5
Apache StreamPipes could allow a remote attacker to obtain sensitive information, caused by the use of a weak pseudo-random number generator (PRNG) in recovery token generation. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain recovery token information, and use this information to launch further attacks against the affected system.
Impact
- Information Disclosure
- Cross-Site Scripting
Indicators of Compromise
CVE
- CVE-2024-27136
- CVE-2024-29868
Affected Vendors
Affected Products
- Apache StreamPipes 0.69.0
- Apache JSPWiki 2.12.1
- Apache StreamPipes 0.93.0
Remediation
Upgrade to the latest version of Apache, available from the Apache Website.