Apache Roller security advisories

Security information for Apache Roller

Reporting

Do you want disclose a potential security issue for Apache Roller? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Insufficient Session Expiration on Password Change

CVE-2025-24859 [CVE] [CVE json] [OSV json]

Last updated: 2025-04-18T15:26:03.795Z

Affected

  • Apache Roller from 1.0.0 before 6.1.5

Description

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.

This issue affects Apache Roller versions up to and including 6.1.4.

The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.



References

Credits

  • Haining Meng (finder)

Weakness in CSRF protection allows privilege escalation

CVE-2024-46911 [CVE] [CVE json] [OSV json]

Last updated: 2024-10-11T21:53:17.272Z

Affected

  • Apache Roller from 1.0.0 before 6.1.4

Description

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4.

Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue.

Roller 6.1.4 release announcement: https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw

References

Credits

  • Chi Tran from EEVEE (finder)

Insufficient input validation for some user profile and bookmark fields when Roller in untested-users mode

CVE-2024-25090 [CVE] [CVE json] [OSV json]

Last updated: 2024-07-26T08:36:45.293Z

Affected

  • Apache Roller from 5.0.0 before 6.1.3

Description

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3.

This issue affects Apache Roller: from 5.0.0 before 6.1.3.

Users are recommended to upgrade to version 6.1.3, which fixes the issue.

References

Credits

  • Jacob Hazak (reporter)

Roller’s weblog category, weblog settings and file-upload features did not properly sanitize input could be exploited to perform Reflected Cross Site Scripting (XSS) even on a Roller site configured for untrusted users.

CVE-2023-37581 [CVE] [CVE json]

Last updated: 2023-08-24T08:15:22.581Z

Affected

  • Apache Roller before 6.1.2

Description

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.2 and you should disable Roller’s File Upload feature. 

References

Credits

  • SecureLayer7 Technologies Pvt Ltd (finder)

regex injection leading to DoS

CVE-2021-33580 [CVE] [CVE json] [OSV json]

Last updated: 2021-08-18T07:43:44.770Z

Affected

  • Apache Roller from Apache Roller before 6.0.2

Description

User controlled request.getHeader("Referer"), request.getRequestURL() and request.getQueryString() are used to build and run a regex expression.

The attacker doesn’t have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.

References

Credits