HIGH🇬🇧 English

CVE-2025-24404

CVSS 8.8v3.1pub. 2025-09-09upd. 2025-11-04

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability. This issue affects Apache HertzBeat (incubating): before 1.7.0. Users are recommended to upgrade to version 1.7.0, which fixes the issue.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Apache Hertzbeat

    APP
    Apache
    < 1.7.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2023-51653CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — JNDI injection RCE przez endpoint JMX

CVE-2023-51388CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — script injection via AviatorEvaluator (RCE)

CVE-2023-51389CRITICAL9.8PL ✓ten sam produkt

Apache Hertzbeat — YAML deserialization w endpoincie /define/yml

CVE-2026-24343HIGH8.8ten sam produkt

Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in Apache HertzBeat...

CVE-2025-48208HIGH8.8ten sam produkt

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache H...

CVE-2025-24404 — HIGH 8.8 | CVEbaza.pl