WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2023-28158 Vulnerability in maven package org.apache.archiva:archiva-web-common

Description

Privilege escalation via stored XSS using the file upload service to upload malicious content. The issue can be exploited only by authenticated users which can create directory name to inject some XSS content and gain some privileges such admin user.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/18/2

https://lists.apache.org/thread/8pm6d5y9cptznm0bdny3n8voovmm0dtt

Related Vulnerabilities

CVE-2021-27644 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-server

CVE-2023-49620 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-dao

CVE-2022-46363 Vulnerability in maven package org.apache.cxf:cxf-rt-transports-http

CVE-2022-41238 Vulnerability in maven package com.groupon.jenkins-ci.plugins:dotci

CVE-2020-17510 Vulnerability in maven package org.apache.shiro:shiro-spring-boot-web-starter

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Vendor Advisory NVD-CWE-noinfo