HyperView Geoportal Toolkit Permissive CORS and Reflected XSS Vulnerabilities (CVE-2024-6449/6450)

From this webpage screenshot, the following key vulnerability information can be obtained: 1. Vulnerability IDs: - CVE-2024-6449 - CVE-2024-6450 2. Release Date: - August 28, 2024 3. Vendor: - HyperView 4. Affected Product: - Geoportal Toolkit 5. Affected Versions: - All versions, including 8.2.4 6. Vulnerability Types (CWE): - Permissive Cross-domain Policy with Untrusted Domains (CWE-942) - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) 7. Reporting Source: - Reported to CERT Polska 8. Description: - The software does not restrict cross-domain requests when fetching remote content, allowing unauthorized remote attackers to craft links that, when opened in the user's environment, load and execute scripts from attacker-controlled remote locations. By manipulating this parameter, it is also possible to enumerate devices within the local network where the server resides. This vulnerability has been assigned CVE-2024-6449. - CVE-2024-6450 enables reflected cross-site scripting (XSS) attacks. Unauthorized attackers can trick users into clicking on crafted URLs, which will result in scripts being executed in the user's browser. 9. Affected Versions: - All versions, including 8.2.4 10. Acknowledgments: - Thanks to Dariusz Gońda for reporting this vulnerability. 11. More Information: - More information about the coordinated vulnerability disclosure process can be found on the CERT Polska website: https://cert.pl/en/cvd/

Goal Reached Thanks to every supporter — we hit 100%!

HyperView Geoportal Toolkit Permissive CORS and Reflected XSS Vulnerabilities (CVE-2024-6449/6450)