CVE-2024-6449
Last modified
CVE-2024-6449 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides.. EPSS estimates a 0.35% chance of exploitation in the next 30 days.
Description
HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Hyperview | Geoportal Toolkit | <= 8.5.0 |
References
- https://cert.pl/en/posts/2024/08/CVE-2024-6449Third Party Advisory
- https://cert.pl/posts/2024/08/CVE-2024-6449Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-6449?
How severe is CVE-2024-6449?
How do I fix CVE-2024-6449?
Are you affected by CVE-2024-6449?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST