CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-24683: Apache Hop Engine: ID isn't escaped when generating HTML

Description

Improper Input Validation vulnerability in Apache Hop Engine.This issue affects Apache Hop Engine: before 2.8.0.

Users are recommended to upgrade to version 2.8.0, which fixes the issue.

When Hop Server writes links to the PrepareExecutionPipelineServlet page one of the parameters provided to the user was not properly escaped.
The variable not properly escaped is the "id", which is not directly accessible by users creating pipelines making the risk of exploiting this low.

This issue only affects users using the Hop Server component and does not directly affect the client.

Classification

CVE ID: CVE-2024-24683

Affected Products

Vendor: Apache Software Foundation

Product: Apache Hop Engine

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.98% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://lists.apache.org/thread/ts203zssv1n9qth1wdlhk2bhos3vcq6t
http://www.openwall.com/lists/oss-security/2024/03/18/1

Timeline

2025-02-14 00:31:39 UTC
CVE

Apache Hop Engine: ID isn't escaped when generating HTML