This is an automated email from the ASF dual-hosted git repository.
exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-site.git
The following commit(s) were added to refs/heads/main by this push:
new 6039c732 NIFI-13897 Published CVE-2024-45477
6039c732 is described below
commit 6039c73263f4970e83d4d77477ac527984e5a1f1
Author: exceptionfactory <[email protected]>
AuthorDate: Mon Oct 28 14:40:39 2024 -0500
NIFI-13897 Published CVE-2024-45477
---
content/documentation/security.md | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/content/documentation/security.md
b/content/documentation/security.md
index b33a91fe..9e9c1165 100644
--- a/content/documentation/security.md
+++ b/content/documentation/security.md
@@ -64,6 +64,25 @@ Severity ratings represent the determination of project
members based on an eval
The following announcements include published vulnerabilities that apply
directly to Apache NiFi components.
+{{< vulnerability
+id="CVE-2024-45477"
+title="Improper Neutralization of Input in Parameter Context Description"
+published="2024-10-28"
+severity="Medium"
+products="Apache NiFi"
+affectedVersions="1.10.0 to 1.27.0 and 2.0.0-M1 to 2.0.0-M3"
+fixedVersion="1.28.0 and 2.0.0-M4"
+jira="NIFI-13675"
+pullRequest="9195"
+reporter="Muhammad Hazim Bin Nor Aizi" >}}
+
+Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a
description field for Parameters in a Parameter Context
+configuration that is vulnerable to cross-site scripting. An authenticated
user, authorized to configure a Parameter Context,
+can enter arbitrary JavaScript code, which the client browser will execute
within the session context of the authenticated user.
+Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
+
+{{</ vulnerability >}}
+
{{< vulnerability
id="CVE-2024-37389"
title="Improper Neutralization of Input in Parameter Context Description"
