Apache Answer: XSS vulnerability when submitting summary
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1.
XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input malicious code in the summary to create such an attack.
Users are recommended to upgrade to version [1.2.5], which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in Apache Answer allows logged-in users to inject malicious scripts via the summary field when editing their own questions.
Vulnerability
CVE-2024-23349 is a stored cross-site scripting (XSS) flaw in Apache Answer, a Q&A platform. The vulnerability stems from improper neutralization of user input in the summary field during web page generation. Specifically, when a logged-in user modifies their own submitted question, the summary input is not sanitized, allowing the injection of arbitrary JavaScript or HTML code [1][2].
Exploitation
An authenticated attacker can exploit this vulnerability by editing a question they have submitted and inserting malicious code into the summary field. The attack does not require elevated privileges or a special network position—only a standard user account capable of posting and editing questions. The malicious payload is stored on the server and executed in the browser of any user who views the affected question [1][2].
Impact
Successful exploitation leads to arbitrary script execution in the context of the victim's browser session. This can result in data theft, session hijacking, defacement, or redirection to malicious sites. Since the XSS is stored, every visitor to the compromised question is affected, amplifying the potential damage [1][2].
Mitigation
The vulnerability affects Apache Answer versions through 1.2.1. Users should upgrade to version 1.2.5, which contains the fix. No official workaround has been provided. As of this writing, the CVE has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/apache/incubator-answerGo | < 1.2.5 | 1.2.5 |
Affected products
2- Apache Software Foundation/Apache Answerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-8pf2-qj4v-fj64ghsaADVISORY
- lists.apache.org/thread/y5902t09vfgy7892z3vzr1zq900sgyqgghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-23349ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/02/22/2ghsaWEB
News mentions
0No linked articles in our index yet.