| CVE ID | CVE-2024-6449 |
| Publication date | 28 August 2024 |
| Vendor | HyperView |
| Product | Geoportal Toolkit |
| Vulnerable versions | Before 8.5.0 |
| Vulnerability type (CWE) | Permissive Cross-domain Policy with Untrusted Domains (CWE-942) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-6450 |
| Publication date | 28 August 2024 |
| Vendor | HyperView |
| Product | Geoportal Toolkit |
| Vulnerable versions | Before 8.5.0 |
| Vulnerability type (CWE) | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about two vulnerabilities in HyperView Geoportal Toolkit software and participated in coordination of their disclosure.
The software does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides. This vulnerability has been assigned CVE-2024-6449.
The vulnerability CVE-2024-6450 allows Reflected Cross-Site Scripting (XSS) attacks. An unauthenticated attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser.
Affected versions are all below 8.5.0.
Credits
We thank Dariusz Gońda for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.