Plataforma
java
Componente
org.mapfish.print:print-lib
Corrigido em
3.24.1
3.24
CVE-2020-15231 is a critical Cross-Site Scripting (XSS) vulnerability affecting mapfish-print versions up to 3.9.0. This vulnerability allows an attacker to inject malicious JavaScript code through JSONP, potentially leading to session hijacking or defacement. The vulnerability was addressed with version 3.24 and users are strongly advised to upgrade immediately.
The impact of CVE-2020-15231 is significant due to the ease of exploitation and the potential for severe consequences. An attacker can leverage the JSONP support to inject arbitrary JavaScript code into the application. This code can then be executed in the context of the user's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or modify the content of the page. This vulnerability could be exploited to compromise sensitive data or gain unauthorized access to systems.
This vulnerability is publicly known and has been documented in the mapfish-print GitHub repository. While no active exploitation campaigns have been publicly reported, the ease of exploitation makes it a potential target. The vulnerability is listed on the CWE database (CWE-79).
Organizations utilizing mapfish-print in their applications, particularly those running versions 3.9.0 or earlier, are at risk. This includes deployments where user-supplied data is processed and displayed without proper sanitization, and those relying on JSONP for data exchange.
disclosure
Status do Exploit
EPSS
0.31% (percentil 54%)
Vetor CVSS
The primary mitigation for CVE-2020-15231 is to upgrade to version 3.24 or later of mapfish-print. Since no workaround is available, upgrading is the only viable option. Prior to upgrading, it's recommended to back up your configuration and data. After the upgrade, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload through the JSONP endpoint and verifying that it is not executed.
Actualice la biblioteca mapfish-print a la versión 3.24 o superior. Esta versión contiene la corrección para la vulnerabilidad de Cross-site scripting. Consulte las notas de la versión para obtener más detalles sobre la actualización.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2020-15231 is a critical Cross-Site Scripting (XSS) vulnerability in mapfish-print versions up to 3.9.0, allowing attackers to inject malicious JavaScript via JSONP.
Yes, if you are using mapfish-print versions 3.9.0 or earlier, you are affected by this vulnerability and should upgrade immediately.
Upgrade to version 3.24 or later of mapfish-print. There are no workarounds available for this vulnerability.
While no active exploitation campaigns have been publicly reported, the ease of exploitation makes it a potential target.
Refer to the mapfish-print GitHub pull request: https://github.com/mapfish/mapfish-print/pull/1397
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo pom.xml e descubra na hora se você está afetado.