CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53679 – Apache VCL: XSS vulnerability in User Lookup impacting user privileges
https://notcve.org/view.php?id=CVE-2024-53679
25 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights. This issue affects all versions of Apache VCL through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue. Vulnerabilidad de neutralización incorrecta de la entrada durante la... • https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53678 – Apache VCL: SQL injection vulnerability in New Block Allocation form
https://notcve.org/view.php?id=CVE-2024-53678
25 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by the attacker. This issue affects all versions of Apache VCL from 2.2 through 2.5.1. Users are recommended to upgrade to version 2.5.2, which fixes the issue. • https://lists.apache.org/thread/2bmjnzgjwwq59nv6xw44w0tnpz4k4pf4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •