CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-29868 – Apache Answer: Using externally referenced images can leak user privacy.
https://notcve.org/view.php?id=CVE-2025-29868
01 Apr 2025 — Private Data Structure Returned From A Public Method vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.2. If a user uses an externally referenced image, when a user accesses this image, the provider of the image may obtain private information about the ip address of that accessing user. Users are recommended to upgrade to version 1.4.5, which fixes the issue. In the new version, administrators can set whether external content can be displayed. Private Data Structure Returned From... • https://lists.apache.org/thread/l7pohw5g03g3qsvrz8pqc9t29mdv5lhf • CWE-495: Private Data Structure Returned From A Public Method •
CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45719 – Apache Answer: Predictable Authorization Token Using UUIDv1
https://notcve.org/view.php?id=CVE-2024-45719
22 Nov 2024 — Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.0. The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable. Users are recommended to upgrade to version 1.4.1, which fixes the issue. Inadequate Encryption Strength vulnerability in Apache Answer. • https://lists.apache.org/thread/sz2d0z39k01nbx3r9pj65t76o1hy9491 • CWE-326: Inadequate Encryption Strength •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40761 – Apache Answer: Avatar URL leaked user email addresses
https://notcve.org/view.php?id=CVE-2024-40761
25 Sep 2024 — Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead. Users are recommended to upgrade to version 1.4.0, which fixes the issue. Vulnerabilidad de fuerza de cifrado inadecuada en Apache Answer. • https://lists.apache.org/thread/mmrhsfy16qwrw0pkv0p9kj40vy3sg08x • CWE-326: Inadequate Encryption Strength •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41888 – Apache Answer: The link for resetting user password is not Single-Use
https://notcve.org/view.php?id=CVE-2024-41888
09 Aug 2024 — Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. • https://lists.apache.org/thread/jbs1j2o9rqm5sc19jyk3jcfvkmfkmyf4 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41890 – Apache Answer: The link to reset the user's password will remain valid after sending a new link
https://notcve.org/view.php?id=CVE-2024-41890
09 Aug 2024 — Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. Users are recommended to upgrade to version 1.3.6, which fixes the issue. Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. • https://lists.apache.org/thread/j7c080xj31x8rvz1pyk2h47rdd9pwbv9 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29217 – Apache Answer: XSS vulnerability when changing personal website
https://notcve.org/view.php?id=CVE-2024-29217
21 Apr 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0. XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack. Users are recommended to upgrade to version [1.3.0], which fixes the issue. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('cross... • http://www.openwall.com/lists/oss-security/2024/04/19/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 8%CPEs: 1EXPL: 1CVE-2024-22393 – Apache Answer: Pixel Flood Attack by uploading the large pixel file
https://notcve.org/view.php?id=CVE-2024-22393
22 Feb 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when posting content. Users are recommended to upgrade to version [1.2.5], which fixes the issue. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Apache Answer. Este problema afecta a Apache Answer: hasta 1.2.... • https://github.com/omranisecurity/CVE-2024-22393 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 3%CPEs: 1EXPL: 0CVE-2024-23349 – Apache Answer: XSS vulnerability when submitting summary
https://notcve.org/view.php?id=CVE-2024-23349
22 Feb 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack. Users are recommended to upgrade to version [1.2.5], which fixes the issue. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('cross-si... • http://www.openwall.com/lists/oss-security/2024/02/22/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26578 – Apache Answer: Repeated submission at registration created duplicate users with the same name
https://notcve.org/view.php?id=CVE-2024-26578
22 Feb 2024 — Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Repeated submission during registration resulted in the registration of the same user. When users register, if they rapidly submit multiple registrations using scripts, it can result in the creation of multiple user accounts simultaneously with the same name. Users are recommended to upgrade to version [1.2.5], which fixes the issue. Ejec... • http://www.openwall.com/lists/oss-security/2024/02/22/3 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •