Apache Answer: XSS vulnerability when changing personal website
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0.
XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input malicious code in the website to create such an attack. Users are recommended to upgrade to version [1.3.0], which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-29217 is a stored XSS vulnerability in Apache Answer before 1.3.0, allowing authenticated users to inject malicious script via the personal website field.
Apache Answer, a Q&A platform, is affected by a stored cross-site scripting (XSS) vulnerability identified as CVE-2024-29217. The root cause is improper neutralization of user-supplied input in the personal website field during profile modification [1][2]. This allows a logged-in user to inject arbitrary JavaScript or HTML code into that field [2].
To exploit the vulnerability, an attacker must be an authenticated user with the ability to edit their profile. While modifying their personal website URL, they can submit malicious code as part of the value. The application fails to sanitize or encode this input before storing it and later rendering it in web pages [1]. The attack does not require any special privileges beyond a standard user account [2].
When the injected content is rendered in a browser (e.g., when another user views the attacker's profile or the personal website link is displayed), the malicious script executes in the context of the victim's session. This can lead to data theft, session hijacking, or other actions impersonating the victim [1][2]. The severity is marked as important [2].
The vulnerability affects Apache Answer versions before 1.3.0. The fix was released in version 1.3.0, and users are strongly advised to upgrade immediately [1][2]. No workarounds are provided, and upgrading is the recommended mitigation.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/apache/incubator-answerGo | < 1.3.0 | 1.3.0 |
Affected products
2- Apache Software Foundation/Apache Answerv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cvqr-mwh6-2vc6ghsaADVISORY
- lists.apache.org/thread/nc0g1borr0d3wx25jm39pn7nyf268n0xghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-29217ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/04/19/1ghsaWEB
News mentions
0No linked articles in our index yet.