Roller Apache Roller

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Apache Roller.

By the Year

In 2025 there have been 1 vulnerability in Apache Roller with an average score of 8.8 out of ten. Last year, in 2024 Roller had 2 security vulnerabilities published. Right now, Roller is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 3.40.




Year Vulnerabilities Average Score
2025 1 8.80
2024 2 5.40
2023 1 5.40
2022 0 0.00
2021 1 7.50
2020 0 0.00
2019 2 7.95
2018 0 0.00

It may take a day or so for new Roller vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Roller Security Vulnerabilities

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes

CVE-2025-24859 8.8 - High - April 14, 2025

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

Insufficient Session Expiration

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller

CVE-2024-46911 - October 14, 2024

Cross-site Resource Forgery (CSRF), Privilege escalation vulnerability in Apache Roller. On multi-blog/user Roller websites, by default weblog owners are trusted to publish arbitrary weblog content and this combined with a deficiency in Roller's CSRF protections allowed an escalation of privileges attack. This issue affects Apache Roller before 6.1.4. Roller users who run multi-blog/user Roller websites are recommended to upgrade to version 6.1.4, which fixes the issue. Roller 6.1.4 release announcement:  https://lists.apache.org/thread/3c3f6rwqptyw6wdc95654fq5vlosqdpw

Session Riding

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms

CVE-2024-25090 5.4 - Medium - July 26, 2024

Insufficient input validation and sanitation in Profile name & screenname, Bookmark name & description and blogroll name features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.3. This issue affects Apache Roller: from 5.0.0 before 6.1.3. Users are recommended to upgrade to version 6.1.3, which fixes the issue.

XSS

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms

CVE-2023-37581 5.4 - Medium - August 06, 2023

Insufficient input validation and sanitation in Weblog Category name, Website About and File Upload features in all versions of Apache Roller on all platforms allows an authenticated user to perform an XSS attack. Mitigation: if you do not have Roller configured for untrusted users, then you need to do nothing because you trust your users to author raw HTML and other web content. If you are running with untrusted users then you should upgrade to Roller 6.1.2 and you should disable Roller's File Upload feature.?

XSS

User controlled `request.getHeader("Referer")`

CVE-2021-33580 7.5 - High - August 18, 2021

User controlled `request.getHeader("Referer")`, `request.getRequestURL()` and `request.getQueryString()` are used to build and run a regex expression. The attacker doesn't have to use a browser and may send a specially crafted Referer header programmatically. Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side. This problem has been fixed in Roller 6.0.2.

Resource Exhaustion

A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller

CVE-2019-0234 6.1 - Medium - July 15, 2019

A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of Roller, which is now Roller 5.2.3.

XSS

Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1, 5.2.0 and earlier unsupported versions relies on Java SAX Parser to implement its XML-RPC interface and by default

CVE-2018-17198 9.8 - Critical - May 28, 2019

Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1, 5.2.0 and earlier unsupported versions relies on Java SAX Parser to implement its XML-RPC interface and by default that parser supports external entities in XML DOCTYPE, which opens Roller up to SSRF / File Enumeration vulnerability. Note that this vulnerability exists even if Roller XML-RPC interface is disable via the Roller web admin UI. Mitigation: There are a couple of ways you can fix this vulnerability: 1) Upgrade to the latest version of Roller, which is now 5.2.2 2) Or, edit the Roller web.xml file and comment out the XML-RPC Servlet mapping as shown below: <!-- <servlet-mapping> <servlet-name>XmlRpcServlet</servlet-name> <url-pattern>/roller-services/xmlrpc</url-pattern> </servlet-mapping> -->

SSRF

The XML-RPC protocol support in Apache Roller before 5.0.3

CVE-2014-0030 9.8 - Critical - October 10, 2017

The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors.

XXE

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Roller or by Apache? Click the Watch button to subscribe.

Apache
Vendor

Apache Roller
Product

subscribe