Apache Geode stored Cross-Site Scripting (XSS) via data injection vulnerability in Pulse web application
Description
Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode Pulse web application is vulnerable to stored XSS via data injection when viewing Region entries, allowing arbitrary script execution.
Vulnerability
Overview
CVE-2022-34870 is a stored Cross-Site Scripting (XSS) vulnerability in the Pulse web application of Apache Geode versions up to 1.15.0. The flaw arises from insufficient sanitization of data stored in Region entries; when a Pulse user views such entries, injected malicious scripts are executed in the browser context [3].
Exploitation
Prerequisites
An attacker must first inject a crafted script into a Geode Region entry, which can be achieved through any Geode client that has write access to the Region. Subsequently, any Pulse user who views that entry will trigger the XSS payload. No additional authentication is required beyond normal Pulse access [3].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript within the Pulse web application's security context. This can lead to session hijacking, defacement, or unauthorized actions performed on behalf of the victim, potentially compromising the entire Geode management interface [3].
Mitigation
Apache Geode has addressed this issue in versions after 1.15.0. Users are strongly advised to upgrade to a patched release. The vulnerability is tracked as GEODE-10411 [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | < 1.15.1 | 1.15.1 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-373r-9mg8-3jc4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-34870ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/24/3ghsamailing-listWEB
- lists.apache.org/thread/zltlr7f2ymr2m6jj54k4z0c4foos5fwxghsaWEB
News mentions
0No linked articles in our index yet.