CVE-2023-48094

Name of the Vulnerable Software and Affected Versions CesiumJS version 1.111

Description A cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary code in the context of the victim's browser via sending a crafted payload to "/container files/public html/doc/index.html". The vendor notes that Apps/Sandcastle/standalone.html is demo code and not part of the CesiumJS JavaScript library product.

Recommendations For CesiumJS version 1.111, as a temporary workaround, consider restricting access to the "/container files/public html/doc/index.html" endpoint until a patch is available. Avoid using this endpoint with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.