CVE-2024-53679: Apache VCL: XSS vulnerability in User Lookup impacting user privileges

[Josh Thompson <jfthomps () apache org>]

Affected versions:

- Apache VCL 2.1 through 2.5.1

Description:

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the 
User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked 
in to clicking a URL that will give a specified user elevated rights.



This issue affects all versions of Apache VCL through 2.5.1.



Users are recommended to upgrade to version 2.5.2, which fixes the issue.

Credit:

Chiencp and Nothing from TeamTonTac (finder)

References:

https://vcl.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-53679