CVE-2024-37389

Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.27.0 or 2.0.0-M4 is the recommended mitigation.

Published: Jul 8, 2024
Updated: May 4, 2025
CVE: CVE-2024-37389
GHSA: GHSA-h658-qqv9-qwv8
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
org.apache.nifi / nifi-web-ui	1.10.0	1.27.0
org.apache.nifi / nifi-web-ui	2.0.0-M1	2.0.0-M4
apache / nifi	1.10.0	1.27.0
apache / nifi	2.0.0-milestone1	2.0.0-milestone1.x
apache / nifi	2.0.0-milestone2	2.0.0-milestone2.x
apache / nifi	2.0.0-milestone3	2.0.0-milestone3.x
apache / nifi	2.0.0-milestone2-rc2	2.0.0-milestone2-rc2.x
apache / nifi	2.0.0-milestone2-rc3	2.0.0-milestone2-rc3.x
apache / nifi	2.0.0-milestone2-rc4	2.0.0-milestone2-rc4.x
apache / nifi	2.0.0-milestone2-rc1	2.0.0-milestone2-rc1.x
apache / nifi	2.0.0-milestone3-rc1	2.0.0-milestone3-rc1.x
apache / nifi	2.0.0-milestone1-rc1	2.0.0-milestone1-rc1.x
apache / nifi	2.0.0-milestone1-rc2	2.0.0-milestone1-rc2.x
apache / nifi	2.0.0-milestone1-rc3	2.0.0-milestone1-rc3.x
apache / nifi	2.0.0-milestone1-rc4	2.0.0-milestone1-rc4.x
apache / nifi	2.0.0-milestone1-rc5	2.0.0-milestone1-rc5.x
apache / nifi	2.0.0-milestone1-rc6	2.0.0-milestone1-rc6.x

Vulnerability Database

289,599

CVE-2024-37389