Go modules package

github.com/apache/incubator-answer

pkg:golang/github.com/apache/incubator-answer

Vulnerabilities (9)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-45719	—	< 1.4.1	1.4.1	Nov 22, 2024	Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.0. The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable. Users are recommended to upgrade
CVE-2024-40761	—	< 1.4.0	1.4.0	Sep 25, 2024	Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.
CVE-2024-41888	—	< 1.3.6	1.3.6	Aug 9, 2024	Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being mi
CVE-2024-41890	—	< 1.3.6	1.3.6	Aug 9, 2024	Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the l
CVE-2024-29217	—	< 1.3.0	1.3.0	Apr 21, 2024	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0. XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input m
CVE-2024-22393	—	< 1.2.5	1.2.5	Feb 22, 2024	Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when
CVE-2024-23349	—	< 1.2.5	1.2.5	Feb 22, 2024	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input mali
CVE-2024-26578	—	< 1.2.5	1.2.5	Feb 22, 2024	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Repeated submission during registration resulted in the registration of the same user. When users register,
CVE-2023-49619	—	< 1.2.1	1.2.1	Jan 10, 2024	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer. This issue affects Apache Answer: through 1.2.0. Under normal circumstances, a user can only bookmark a question once, and will only increase the number o

CVE-2024-45719Nov 22, 2024
affected < 1.4.1fixed 1.4.1
Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.4.0. The ids generated using the UUID v1 version are to some extent not secure enough. It can cause the generated token to be predictable. Users are recommended to upgrade
CVE-2024-40761Sep 25, 2024
affected < 1.4.0fixed 1.4.0
Inadequate Encryption Strength vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. Using the MD5 value of a user's email to access Gravatar is insecure and can lead to the leakage of user email. The official recommendation is to use SHA256 instead.
CVE-2024-41888Aug 9, 2024
affected < 1.3.6fixed 1.3.6
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. The password reset link remains valid within its expiration period even after it has been used. This could potentially lead to the link being mi
CVE-2024-41890Aug 9, 2024
affected < 1.3.6fixed 1.3.6
Missing Release of Resource after Effective Lifetime vulnerability in Apache Answer. This issue affects Apache Answer: through 1.3.5. User sends multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the l
CVE-2024-29217Apr 21, 2024
affected < 1.3.0fixed 1.3.0
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: before 1.3.0. XSS attack when user changes personal website. A logged-in user, when modifying their personal website, can input m
CVE-2024-22393Feb 22, 2024
affected < 1.2.5fixed 1.2.5
Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Pixel Flood Attack by uploading large pixel files will cause server out of memory. A logged-in user can cause such an attack by uploading an image when
CVE-2024-23349Feb 22, 2024
affected < 1.2.5fixed 1.2.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. XSS attack when user enters summary. A logged-in user, when modifying their own submitted question, can input mali
CVE-2024-26578Feb 22, 2024
affected < 1.2.5fixed 1.2.5
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer.This issue affects Apache Answer: through 1.2.1. Repeated submission during registration resulted in the registration of the same user. When users register,
CVE-2023-49619Jan 10, 2024
affected < 1.2.1fixed 1.2.1
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer. This issue affects Apache Answer: through 1.2.0. Under normal circumstances, a user can only bookmark a question once, and will only increase the number o