CVE-2024-6449
Sept. 12, 2024, 3:32 p.m.
Tags
CVSS Score
Products Impacted
| Vendor | Product | Versions |
|---|---|---|
| hyperview |
|
|
Description
HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides.
Weaknesses
CWE-942
Permissive Cross-domain Policy with Untrusted Domains
The product uses a cross-domain policy file that includes domains that should not be trusted.
CWE ID: 942Date
Published: Aug. 28, 2024, 12:15 p.m.
Last Modified: Sept. 12, 2024, 3:32 p.m.
Status : Analyzed
CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
More infoSource
cvd@cert.pl
CPEs
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | hyperview | geoportal_toolkit | / | / | / | / | / | / | / | / |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
Base Score
Exploitability Score
Impact Score
Base Severity
MEDIUMCVSS Vector String
The CVSS vector string provides an in-depth view of the vulnerability metrics.
View Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N