Skip to main content

Roller

12 CVEs product

Monthly

CVE-2025-24859 LOW Monitor

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Apache Authentication Bypass Roller
NVD
CVSS 4.0
2.1
EPSS
0.1%
CVE-2024-46911 MEDIUM This Month

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache CSRF Roller
NVD
CVSS 3.1
4.7
EPSS
0.4%
CVE-2024-25090 MEDIUM This Month

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Roller
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2023-37581 MEDIUM This Month

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache File Upload XSS Roller
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-33580 HIGH This Week

User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Roller
NVD
CVSS 3.1
7.5
EPSS
3.3%
CVE-2019-0234 MEDIUM This Month

A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Roller
NVD
CVSS 3.1
6.1
EPSS
3.4%
CVE-2014-0030 CRITICAL POC THREAT Emergency

The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.1%.

XXE Apache Roller
NVD Exploit-DB
CVSS 3.0
9.8
EPSS
29.1%
Threat
4.3
CVE-2015-0249 HIGH This Week

The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Java Apache Roller
NVD
CVSS 3.0
7.2
EPSS
0.4%
CVE-2013-4212 MEDIUM POC PATCH THREAT This Month

Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 87.0%.

Code Injection Apache RCE Roller
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
87.0%
Threat
5.5
CVE-2013-4171 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller before 5.0.2 allow remote attackers to inject arbitrary web script or HTML via vectors related to the search results in the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Roller
NVD
CVSS 2.0
4.3
EPSS
2.0%
CVE-2012-2381 LOW Monitor

Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller before 5.0.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the blogger role. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Roller
NVD
CVSS 2.0
3.5
EPSS
0.1%
CVE-2012-2380 MEDIUM This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the admin/editor console in Apache Roller before 5.0.1 allow remote attackers to hijack the authentication of admins or editors by. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Roller
NVD
CVSS 2.0
6.8
EPSS
0.2%
EPSS 0% CVSS 2.1
LOW Monitor

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Apache Authentication Bypass Roller
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Apache CSRF +1
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache XSS Roller
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache File Upload XSS +1
NVD
EPSS 3% CVSS 7.5
HIGH This Week

User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Roller
NVD
EPSS 3% CVSS 6.1
MEDIUM This Month

A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Apache Roller
NVD
EPSS 29% 4.3 CVSS 9.8
CRITICAL POC THREAT Emergency

The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 29.1%.

XXE Apache Roller
NVD Exploit-DB
EPSS 0% CVSS 7.2
HIGH This Week

The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Java +2
NVD
EPSS 87% 5.5 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

Certain getText methods in the ActionSupport controller in Apache Roller before 5.0.2 allow remote attackers to execute arbitrary OGNL expressions via the first or second parameter, as demonstrated. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 87.0%.

Code Injection Apache RCE +1
NVD Exploit-DB
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller before 5.0.2 allow remote attackers to inject arbitrary web script or HTML via vectors related to the search results in the (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache XSS Roller
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Multiple cross-site scripting (XSS) vulnerabilities in Apache Roller before 5.0.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the blogger role. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Apache XSS Roller
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in the admin/editor console in Apache Roller before 5.0.1 allow remote attackers to hijack the authentication of admins or editors by. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF Apache Roller
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy