Analysis Summary

CVE-2024-27136 CVSS:6.1

Apache JSPWiki is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Upload page. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE-2024-29868 CVSS:7.5

Apache StreamPipes could allow a remote attacker to obtain sensitive information, caused by the use of a weak pseudo-random number generator (PRNG) in recovery token generation. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain recovery token information, and use this information to launch further attacks against the affected system.

Impact

• Information Disclosure
• Cross-Site Scripting

Indicators of Compromise

CVE

• CVE-2024-27136
• CVE-2024-29868

Affected Vendors

Remediation

Upgrade to the latest version of Apache, available from the Apache Website.

CVE-2024-27136

CVE-2024-29868