The Apache Software Foundation has released a security update for Apache Roller The vulnerability, tracked as CVE-2024-46911, a critical Cross-site Request Forgery (CSRF) vulnerability that could allow attackers to escalate privileges on multi-user Roller websites.
As per the advisory, On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller’s CSRF protections allowed an escalation of privileges attack,
To mitigate this vulnerability, Apache Roller 6.1.4 follow the below:
- Safer Defaults: HTML content is now sanitized by default to prevent the execution of malicious code. Additionally, custom themes and file uploads are disabled by default to reduce potential attack vectors.
- Improved CSRF and XSS Protection: The update includes enhanced CSRF and Cross-site Scripting (XSS) protection mechanisms using user-specific and one-time-use salts.
- Dependency Updates: Over 20 dependency updates have been implemented, including updates to Spring, Eclipse-Link JPA, Log4j, Lucene, and more.
By addressing this CSRF vulnerability and implementing additional security measures, Apache Roller 6.1.4 ensures that users can continue to enjoy a safe and robust blogging experience.
