oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-46911: Apache Roller: Weakness in CSRF protection allows privilege escalation

From: "David M. Johnson" <snoopdave () apache org>
Date: Fri, 11 Oct 2024 21:51:39 +0000
Severity: important

Affected versions:

- Apache Roller 1.0.0 before 6.1.4

Description:

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller 
websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency 
in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4.

Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue.

Roller 6.1.4 release announcement:  https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw

Credit:

Chi Tran from EEVEE (finder)

References:

https://roller.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-46911
Previous By Date Next
Previous By Thread Next

Current thread: