CVE-2024-27091

Name of the Vulnerable Software and Affected Versions GeoNode versions prior to 4.2.3

Description The issue exists within GeoNode, a geospatial content management system, where the current rich text editor is vulnerable to Stored XSS. This allows an attacker to retrieve a victim's CSRF token and issue a request to change another user's email address, potentially leading to a full account takeover. The script element does not impact the CORS policy, allowing requests to succeed.

Recommendations For versions prior to 4.2.3, update to version 4.2.3 to resolve the issue. As a temporary workaround, consider disabling the rich text editor until a patch is available. Restrict access to sensitive user account settings to minimize the risk of exploitation. Avoid using the vulnerable rich text editor in the affected GeoNode platform until the issue is resolved.