CVE-2024-53679 Information

Description

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache VCL in the User Lookup form. A user with sufficient rights to be able to view this part of the site can craft a URL or be tricked in to clicking a URL that will give a specified user elevated rights.

This issue affects all versions of Apache VCL through 2.5.1.

Users are recommended to upgrade to version 2.5.2 which fixes the issue.

Reference

http://www.openwall.com/lists/oss-security/2025/03/24/2 https://lists.apache.org/thread/bq5vs0hndt9cz9b6rpfr5on1nd4qrmyr