Listen to this Post
GeoNode is an open‑source geospatial content management system used for publishing and managing geographic data. Versions 3.2.0 through 4.2.2 are affected by a stored cross‑site scripting (XSS) vulnerability in the built‑in rich text editor. The editor fails to properly sanitize user‑supplied HTML, allowing an attacker to inject arbitrary JavaScript code that is permanently stored and executed in the browser of any user who views the malicious content.
Although the application sets its session cookies with the `Secure` and `HttpOnly` flags, the injected script can still read the CSRF token from the page’s DOM or from meta tags, as these tokens are typically exposed to JavaScript for legitimate AJAX requests. With the CSRF token in hand, the attacker’s script can forge an authenticated request to the `/account/email/` endpoint (or similar) to change the victim’s registered email address. Because the script runs in the context of the victim’s session, the request appears legitimate to the server.
Crucially, the attack bypasses CORS restrictions: the injected script element originates from the same origin as the GeoNode instance, so no cross‑origin policy is violated. The browser faithfully executes the request with the victim’s credentials, and the server accepts the email change. Once the email is altered, the attacker can trigger a password reset and receive the reset link at the new address, effectively taking over the account.
The vulnerability is rated 6.1 (Medium) on the CVSS v3.1 scale, with a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. It requires user interaction (the victim must view a crafted page), but no privileges are needed to inject the payload. The fix was merged in commit `e53bdef` and released in GeoNode 4.2.3, which introduces a server‑side HTML sanitization filter using the `nh3` library.
DailyCVE Form:
Platform: ……. GeoNode
Version: …….. 3.2.0 – 4.2.2
Vulnerability :…… Stored XSS
Severity: ……. Moderate (6.1)
date: ………. 2024-03-27
Prediction: …… Patch 2024-03-27
What Undercode Say
- CVSS v3.1 Score: 6.1 (Medium) – Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: Required, Scope: Changed, Confidentiality: Low, Integrity: Low.
- CWE: CWE‑79 (Improper Neutralization of Input During Web Page Generation).
- EPSS: 0.0% (9th percentile) – currently low likelihood of active exploitation.
- Affected Versions: ≥ 3.2.0 and < 4.2.3.
- Patched Version: 4.2.3.
- Fix Commit:
e53bdef– added `sanitize_html` template filter usingnh3.clean().
Bash Commands & Code Snippets
Check installed GeoNode version:
pip show geonode | grep Version
Upgrade to the patched version:
pip install --upgrade geonode==4.2.3
Verify that the sanitization filter is applied in templates (example from the fix):
{{ some_html_content|sanitize_html|safe }}
This filter strips dangerous tags and attributes, allowing only a safe subset (e.g., <b>, <a>, <img>, <p>).
Test payload (for educational purposes – do not use on production):
<script>
// Retrieve CSRF token from meta tag
var csrf = document.querySelector('meta[name="csrf-token"]').getAttribute('content');
// Change victim's email
fetch('/account/email/', {
method: 'POST',
headers: { 'X-CSRFToken': csrf, 'Content-Type': 'application/json' },
body: JSON.stringify({ email: '[email protected]' })
});
</script>
Exploit
- Injection: The attacker posts a comment, map description, or any content that uses the rich text editor, embedding the malicious `
