VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 28, 2020· Updated Aug 4, 2024

CVE-2020-1933

CVE-2020-1933

Description

A XSS vulnerability was found in Apache NiFi 1.0.0 to 1.10.0. Malicious scripts could be injected to the UI through action by an unaware authenticated user in Firefox. Did not appear to occur in other browsers.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache NiFi versions 1.0.0 to 1.10.0 are vulnerable to stored XSS via malicious scripts injected by an authenticated user, affecting Firefox browsers.

Vulnerability

Description

A stored cross-site scripting (XSS) vulnerability exists in Apache NiFi versions 1.0.0 through 1.10.0. An authenticated user can inject malicious scripts into the user interface, and if another authenticated user views the affected page in Firefox, the scripts execute. This issue does not appear to occur in other browsers [2].

Exploitation

To exploit the vulnerability, an attacker must have a valid NiFi account and convince another authenticated user to perform an action that triggers the injected script. The attack requires user interaction and is specific to Firefox [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to data theft, session hijacking, or unauthorized actions within the NiFi UI.

Mitigation

The vulnerability was addressed in NiFi 1.11.0. Users are advised to upgrade to the latest version. The fix involved changes to template handling as part of commit NIFI-7023 [3].

References
  1. NVD - CVE-2020-1933
  2. NIFI-7023 Removed SLF4J and Log4J transitive dependencies from Zookee… by alopresto · Pull Request #3991 · apache/nifi

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.nifi:nifiMaven
>= 1.0.0, < 1.11.01.11.0

Affected products

3
  • osv-coords2 versions
    pkg:bitnami/nifipkg:maven/org.apache.nifi/nifi
    >= 1.0.0, <= 1.10.0+ 1 more
    • (no CPE)range: >= 1.0.0, <= 1.10.0
    • (no CPE)range: >= 1.0.0, < 1.11.0
  • Apache Software Foundation/Apache NiFiv5
    Range: Apache NiFi 1.0.0 to 1.10.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.