CVE-2024-45719 – Apache Answer: Predictable Authorization Token Using UUIDv1
https://notcve.org/view.php?id=CVE-2024-45719
Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.0. The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable. Users are recommended to upgrade to version 1.4.1, which fixes the issue. • https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491 • CWE-326: Inadequate Encryption Strength •
CVE-2024-40761 – Apache Answer: Avatar URL leaked user email addresses
https://notcve.org/view.php?id=CVE-2024-40761
Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue. Vulnerabilidad de fuerza de cifrado inadecuada en Apache Answer. Este problema afecta a Apache Answer: hasta la versión 1.3.5. El uso del valor MD5 del correo electrónico de un usuario para acceder a Gravatar es inseguro y puede provocar la filtración del correo electrónico del usuario. • https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x • CWE-326: Inadequate Encryption Strength •
CVE-2024-41888 – Apache Answer: The link for resetting user password is not Single-Use
https://notcve.org/view.php?id=CVE-2024-41888
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. • https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2024-41890 – Apache Answer: The link to reset the user's password will remain valid after sending a new link
https://notcve.org/view.php?id=CVE-2024-41890
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. • https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2024-29217 – Apache Answer: XSS vulnerability when changing personal website
https://notcve.org/view.php?id=CVE-2024-29217
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0. XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack. Users are recommended to upgrade to version [1.3.0], which fixes the issue. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('cross-site Scripting') en Apache Answer. Este problema afecta a Apache Answer: versiones anteriores a 1.3.0. Ataque XSS cuando el usuario cambia de sitio web personal. • http://www.openwall.com/lists/oss-security/2024/04/19/1 https://lists.apache.org/thread/nc0g1borr0d3wx25jm39pn7nyf268n0x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •