Apache NiFi CVE-2016-8748 Cross Site Scripting Vulnerability

Apache NiFi is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.


The following versions are affected:
Apache NiFi 1.0.0
Apache NiFi 1.1.0

Information

Bugtraq ID: 95621
Class: Input Validation Error
CVE: CVE-2106-8748
CVE-2016-8748

Remote: Yes
Local: No
Published: Jan 16 2017 12:00AM
Updated: Jan 26 2018 07:00AM
Credit: Matt Gilman
Vulnerable: Apache Nifi 1.1
Apache Nifi 1.0

Not Vulnerable: Apache Nifi 1.1.1
Apache Nifi 1.0.1

Exploit

To exploit this issue an attacker must entice an unsuspecting victim to open a malicious URI.

References:

• Apache Nifi Homepage (Apache)
  
• CVE-2106-8748: Apache NiFi XSS vulnerability in connection details dialogue (Apache)
  

Source: www.securityfocus.com