Apache Allura
6 CVEs affecting Apache Allura. Latest disclosed: 2024-06-22. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-36471 | High | 7.5 | 2024-06-10 | Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, whic… |
CVE-2018-1299 | High | 7.5 | 2018-02-06 | In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, suc… |
CVE-2019-10085 | Medium | 6.1 | 2019-06-19 | In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a… |
CVE-2018-1319 | Medium | 6.1 | 2018-03-15 | In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results m… |
CVE-2023-46851 | Medium | 4.9 | 2023-11-07 | Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could c… |
CVE-2024-38379 | Medium | 4.8 | 2024-06-22 | Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limit… |