{"id":"CVE-2024-53679","details":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights.\n\n\n\nThis issue affects all versions of Apache VCL through 2.5.1.\n\n\n\nUsers are recommended to upgrade to version 2.5.2, which fixes the issue.","modified":"2026-04-10T05:19:34.112346Z","published":"2025-03-25T10:15:16.027Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/03/24/2"},{"type":"REPORT","url":"https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/vcl","events":[{"introduced":"0"},{"last_affected":"80d9db4172b9c08507093d8d44d51c32f1eadf19"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.5.1."}]}}],"versions":["release-2.5.1-RC1-tag","release-2.5.1-tag"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-53679.json","unresolved_ranges":[{"events":[{"introduced":"2.1"},{"fixed":"2.5.2"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}