CVE-2024-46911

Apache Roller: Weakness in CSRF protection allows privilege escalation

Description

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4. Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue. Roller 6.1.4 release announcement:  https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw

Category

4.7
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.04%
Vendor Advisory apache.org
Affected: Apache Software Foundation Apache Roller
Published at:
Updated at:

References

Link Tags
https://lists.apache.org/thread/6m0ghjo9j92qty00t2qb6qf2spds0p5t vendor advisory
http://www.openwall.com/lists/oss-security/2024/10/12/1 mailing list third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-46911?
CVE-2024-46911 has been scored as a medium severity vulnerability.
How to fix CVE-2024-46911?
To fix CVE-2024-46911, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-46911 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-46911 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-46911?
CVE-2024-46911 affects Apache Software Foundation Apache Roller.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.