CesiumGS CesiumJS standalone.html cross site scripting
Platform
javascript
Component
cesium
Opgelost in
1.137.1
A cross-site scripting (XSS) vulnerability exists in CesiumJS versions up to 1.137.0, specifically within the Apps/Sandcastle/standalone.html functionality. This flaw allows an attacker to manipulate the 'c' argument, potentially leading to the execution of malicious scripts within a user's browser. While the precise impact remains uncertain, the availability of a public exploit highlights the potential for immediate exploitation.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2026-3990 allows an attacker to inject arbitrary JavaScript code into the context of a user's browser session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, and defacement of the CesiumJS application. Given the public availability of an exploit, attackers can readily leverage this vulnerability to compromise systems and steal sensitive information. The attack vector is remote, meaning an attacker does not need to be authenticated to exploit the vulnerability.
Uitbuitingscontextwordt vertaald…
CVE-2026-3990 is linked to CVE-2023-48094, indicating a history of unresponsiveness from the vendor. A public proof-of-concept exploit is available, significantly increasing the risk of exploitation. The vulnerability was publicly disclosed on 2026-03-12. The EPSS score is likely Medium, given the public exploit and lack of vendor response.
Wie Loopt Risicowordt vertaald…
Organizations and individuals utilizing CesiumJS versions 1.137 and earlier, particularly those deploying CesiumJS applications in environments where user input is processed without proper sanitization, are at significant risk. Shared hosting environments where multiple users share the same CesiumJS installation are also vulnerable.
Detectiestappenwordt vertaald…
• javascript / cesiumjs: Inspect network requests to Apps/Sandcastle/standalone.html for unusual JavaScript payloads in the 'c' parameter. • generic web: Examine browser developer console for XSS error messages or unexpected script execution. • generic web: Review access logs for suspicious requests targeting Apps/Sandcastle/standalone.html with unusual query parameters.
Aanvalstijdlijn
- Disclosure
disclosure
- PoC
poc
Dreigingsinformatie
Exploit Status
EPSS
0.03% (9% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Geen — geen vertrouwelijkheidsimpact.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-3990 is to upgrade to a patched version of CesiumJS. As of this writing, no patched version has been released. Until a fix is available, consider implementing input validation and sanitization on the 'c' argument within Apps/Sandcastle/standalone.html to prevent malicious code injection. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Carefully review and audit any third-party libraries or components integrated with CesiumJS to identify potential vulnerabilities.
Hoe te verhelpen
Werk CesiumJS bij naar een versie later dan 1.137.0. Indien een update niet mogelijk is, controleer en filter dan de invoer van het argument 'c' in het bestand Apps/Sandcastle/standalone.html om ongewenste code-uitvoering te voorkomen.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-3990 — XSS in CesiumJS ≤1.137?
CVE-2026-3990 is a cross-site scripting vulnerability in CesiumJS versions up to 1.137.0, allowing attackers to inject malicious scripts via the 'c' parameter in Apps/Sandcastle/standalone.html.
Am I affected by CVE-2026-3990 in CesiumJS ≤1.137?
If you are using CesiumJS version 1.137 or earlier, you are potentially affected by this vulnerability. Assess your usage of Apps/Sandcastle/standalone.html.
How do I fix CVE-2026-3990 in CesiumJS ≤1.137?
Upgrade to a patched version of CesiumJS. As of this writing, no patched version is available. Implement input validation and sanitization as a temporary workaround.
Is CVE-2026-3990 being actively exploited?
Yes, a public proof-of-concept exploit exists, indicating a high likelihood of active exploitation.
Where can I find the official CesiumJS advisory for CVE-2026-3990?
The vendor has not released an official advisory. Refer to the CVE details and related security reports for more information.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.