CVE-2024-6449

EPSS 0.23%
Veröffentlicht 28.08.2024 12:15:06
Zuletzt bearbeitet 12.09.2024 15:32:19
Quelle cvd@cert.pl
CVE-Watchlists
Login
Unerledigt
Login

HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters.
An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space.
By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hyperview ≫ Geoportal Toolkit Version <= 8.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.46

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
cvd@cert.pl	5.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-942 Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

https://cert.pl/en/posts/2024/08/CVE-2024-6449

Third Party Advisory

https://cert.pl/posts/2024/08/CVE-2024-6449

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-6449

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6449

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6449

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-6449