CVE-2024-6449

Name of the Vulnerable Software and Affected Versions HyperView Geoportal Toolkit versions prior to 8.5.0

Description The issue allows an unauthenticated remote attacker to prepare links that, when opened, will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating a GET request parameter, it is also possible to enumerate some of the devices in the Local Area Network in which the server resides.

Recommendations For versions prior to 8.5.0, update to a patched version as soon as possible and review access controls to mitigate the risk of unauthorized access. As a temporary workaround, consider restricting access to the vulnerable GET request parameter until a patch is available.