Vulnerabilities > Apache > Allura

DATE CVE VULNERABILITY TITLE RISK
2024-06-22 CVE-2024-38379 Cross-site Scripting vulnerability in Apache Allura
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.  Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue.
network
low complexity
apache CWE-79
4.8
2023-11-07 CVE-2023-46851 External Control of File Name or Path vulnerability in Apache Allura
Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments.
network
low complexity
apache CWE-73
4.9
2019-06-19 CVE-2019-10085 Cross-site Scripting vulnerability in Apache Allura
In Apache Allura prior to 1.11.0, a vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets.
network
low complexity
apache CWE-79
6.1
2018-03-15 CVE-2018-1319 Injection vulnerability in Apache Allura
In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting.
network
low complexity
apache CWE-74
6.1
2018-02-06 CVE-2018-1299 Path Traversal vulnerability in Apache Allura
In Apache Allura before 1.8.0, unauthenticated attackers may retrieve arbitrary files through the Allura web application.
network
low complexity
apache CWE-22
7.5