CVE-2016-8748
Description
In Apache NiFi before 1.0.1 and 1.1.x before 1.1.1, there is a cross-site scripting vulnerability in connection details dialog when accessed by an authorized user. The user supplied text was not being properly handled when added to the DOM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache NiFi users with authorized access to connection details dialog could inject JavaScript due to improper input handling.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the connection details dialog of Apache NiFi versions before 1.0.1 and 1.1.x before 1.1.1 [1][2]. The dialog does not properly sanitize user-supplied text before adding it to the DOM, allowing an authorized user to inject arbitrary web script or HTML into the connection details view [2].
Exploitation
An attacker must be an authenticated and authorized user of the NiFi instance [2]. By supplying crafted script content in a field that appears in the connection details dialog, the attacker can cause the browser to execute arbitrary JavaScript when other authorized users view the same dialog [1][2]. No additional privileges or user interaction beyond viewing the dialog are required for the stored XSS to trigger.
Impact
Successful exploitation enables an attacker to execute arbitrary JavaScript within the context of another authorized user's session. This can lead to information disclosure, session hijacking, or further actions within the NiFi UI with the victim's privileges [1][2]. The impact is limited to the browser session and the NiFi application context.
Mitigation
Upgrade to Apache NiFi version 1.0.1 or 1.1.1 to receive the fix [1]. No workaround is documented in the available references [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifiMaven | < 1.0.1 | 1.0.1 |
org.apache.nifi:nifiMaven | >= 1.1.0, < 1.1.1 | 1.1.1 |
Affected products
2- Apache Software Foundation/Apache NiFiv5Range: 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- www.securityfocus.com/bid/95621nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-g2fm-x3cp-mqw9ghsaADVISORY
- nifi.apache.org/security.htmlnvdIssue TrackingMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2016-8748ghsaADVISORY
News mentions
0No linked articles in our index yet.