{"id":"CVE-2024-37389","details":"Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.","aliases":["GHSA-h658-qqv9-qwv8"],"modified":"2026-04-10T05:14:11.341530Z","published":"2024-07-08T08:15:10.847Z","related":["CGA-pp96-54w2-3233"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/07/08/1"},{"type":"ARTICLE","url":"https://lists.apache.org/thread/yso9fr0wtff53nk046h1o83hdyb1lrxh"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/nifi","events":[{"introduced":"b217ae20ad6a04cac874b2b00d93b7f7514c0b88"},{"fixed":"e0c4461d90bd4f6e5f2b81765bcff5cd97ed3e18"},{"introduced":"0"},{"last_affected":"49fa0d86746f544e294b4ba04b2795d426ba0271"},{"introduced":"0"},{"last_affected":"0a7ba3722001bb8c3f09755792c4db2b2ab61f36"},{"introduced":"0"},{"last_affected":"2c2a08ad69038e2f7b1975b288ad070a8ffdb66b"},{"introduced":"0"},{"last_affected":"5f7e637082d3ab2c45ce3d10e3bc31344e7581da"},{"introduced":"0"},{"last_affected":"99f13a89c1b49624e225e53f91d6ae8f3a2a4ab9"},{"introduced":"0"},{"last_affected":"f81a3597d40f3fe6df93d55347a11474ee6af2c8"},{"introduced":"0"},{"last_affected":"49fa0d86746f544e294b4ba04b2795d426ba0271"},{"introduced":"0"},{"last_affected":"640b7bdfbbb8842f057a9bf49dc2b9b5d092abda"},{"introduced":"0"},{"last_affected":"b462c7051d004be70fba34f2795bd5c682cd1124"},{"introduced":"0"},{"last_affected":"f50ab61772de816b08edffc97393a856b0a87ed2"},{"introduced":"0"},{"last_affected":"439ac5f596fe90d2591376caec1499ed86abfd6b"},{"introduced":"0"},{"last_affected":"640b7bdfbbb8842f057a9bf49dc2b9b5d092abda"},{"introduced":"0"},{"last_affected":"f2215c6522a5571189290760c55f0317f8562cbd"},{"introduced":"0"},{"last_affected":"f2215c6522a5571189290760c55f0317f8562cbd"}],"database_specific":{"versions":[{"introduced":"1.10.0"},{"fixed":"1.27.0"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1\\-rc1"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1\\-rc2"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1\\-rc3"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1\\-rc4"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1\\-rc5"},{"introduced":"0"},{"last_affected":"2.0.0-milestone1\\-rc6"},{"introduced":"0"},{"last_affected":"2.0.0-milestone2"},{"introduced":"0"},{"last_affected":"2.0.0-milestone2\\-rc1"},{"introduced":"0"},{"last_affected":"2.0.0-milestone2\\-rc2"},{"introduced":"0"},{"last_affected":"2.0.0-milestone2\\-rc3"},{"introduced":"0"},{"last_affected":"2.0.0-milestone2\\-rc4"},{"introduced":"0"},{"last_affected":"2.0.0-milestone3"},{"introduced":"0"},{"last_affected":"2.0.0-milestone3\\-rc1"}]}}],"versions":["docker/nifi-1.2.0","nifi-0.2.0-incubating-RC1","nifi-0.4.1","nifi-0.4.1-RC1","nifi-0.6.0","nifi-0.6.0-RC2","nifi-1.1.0-RC2","nifi-1.2.0-RC2","nifi-1.20.0-RC1","nifi-2.0.0-M1-RC1","nifi-2.0.0-M1-RC2","nifi-2.0.0-M1-RC3","nifi-2.0.0-M1-RC4","nifi-2.0.0-M1-RC5","nifi-2.0.0-M1-RC6","nifi-2.0.0-M2-RC1","nifi-2.0.0-M2-RC2","nifi-2.0.0-M2-RC3","nifi-2.0.0-M2-RC4","nifi-2.0.0-M3-RC1","rel/nifi-1.1.0","rel/nifi-1.2.0","rel/nifi-1.20.0","rel/nifi-2.0.0-M1","rel/nifi-2.0.0-M2","rel/nifi-2.0.0-M3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37389.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}