A medium-severity vulnerability, identified as CVE-2024-27091 with a CVSS score of 6.1, exists in the rich text editor component of GeoNode due to stored cross-site scripting (XSS) flaws. This issue enables an attacker to retrieve a victim's CSRF token and perform a full account takeover by exploiting user interaction with the rich text editor, requiring no privileges or authentication. The flaw arises from the script element not impacting the CORS policy, allowing requests to succeed. Affected versions of GeoNode include those in the range >= 3.2.1, < 4.2.3. This vulnerability has a significant business impact, as a full account takeover can result in unauthorized access and modifications to sensitive information.
We recommend you to update GeoNode to version 4.2.3.[/subscribe_to_unlock_form]
A medium-severity vulnerability, identified as CVE-2024-27091 with a CVSS score of 6.1, exists in the rich text editor component of GeoNode due to stored cross-site scripting (XSS) flaws. This issue enables an attacker to retrieve a victim's CSRF token and perform a full account takeover by exploiting user interaction with the rich text editor, requiring no privileges or authentication. The flaw arises from the script element not impacting the CORS policy, allowing requests to succeed. Affected versions of GeoNode include those in the range >= 3.2.1, < 4.2.3. This vulnerability has a significant business impact, as a full account takeover can result in unauthorized access and modifications to sensitive information.
We recommend you to update GeoNode to version 4.2.3.[emaillocker id="1283"]
The following reports contain further technical details:
[/emaillocker]