Platform
java
Component
org.mapfish.print:print-lib
Fixed in
3.24.1
3.24
CVE-2020-15231 is a critical Cross-Site Scripting (XSS) vulnerability affecting mapfish-print versions up to 3.9.0. This vulnerability allows an attacker to inject malicious JavaScript code through JSONP, potentially leading to session hijacking or defacement. The vulnerability was addressed with version 3.24 and users are strongly advised to upgrade immediately.
The impact of CVE-2020-15231 is significant due to the ease of exploitation and the potential for severe consequences. An attacker can leverage the JSONP support to inject arbitrary JavaScript code into the application. This code can then be executed in the context of the user's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or modify the content of the page. This vulnerability could be exploited to compromise sensitive data or gain unauthorized access to systems.
This vulnerability is publicly known and has been documented in the mapfish-print GitHub repository. While no active exploitation campaigns have been publicly reported, the ease of exploitation makes it a potential target. The vulnerability is listed on the CWE database (CWE-79).
Exploit Status
EPSS
0.31% (54% percentile)
CVSS Vector
The primary mitigation for CVE-2020-15231 is to upgrade to version 3.24 or later of mapfish-print. Since no workaround is available, upgrading is the only viable option. Prior to upgrading, it's recommended to back up your configuration and data. After the upgrade, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the JSONP endpoint and verifying that it is not executed.
Update the mapfish-print library to version 3.24 or higher. This version contains the fix for the Cross-site scripting (XSS) vulnerability. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-15231 is a critical Cross-Site Scripting (XSS) vulnerability in mapfish-print versions up to 3.9.0, allowing attackers to inject malicious JavaScript via JSONP.
Yes, if you are using mapfish-print versions 3.9.0 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade to version 3.24 or later of mapfish-print. There are no workarounds available for this vulnerability.
While no active exploitation campaigns have been publicly reported, the ease of exploitation makes it a potential target.
Refer to the mapfish-print GitHub pull request: https://github.com/mapfish/mapfish-print/pull/1397
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.