6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-44088

GHSA ID

GHSA-w595-4975-gm3h

EPSS Score

CWE

CWE-79

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-44088

CVE-2024-44088: Apache Geode web-api is vulnerable to Cross-site Scripting

Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information and even account takeover.

This issue affects Apache Geode: all versions prior to 1.15.2.

Users are recommended to upgrade to version 1.15.2, which fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-44088

CVE-2024-44088:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-44088

GHSA ID

GHSA-w595-4975-gm3h

EPSS Score

CWE

CWE-79

Published

10/14/2025

Updated

10/14/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.geode:geode-web-api	maven	>= 1.1.0, < 1.15.2	1.15.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Cross-Site Scripting (XSS) issue in the Apache Geode web-api. The description mentions that an attacker can trick a logged-in user into clicking a specially-crafted link, which is a typical vector for reflected XSS and usually involves a GET request. I analyzed the commits between the vulnerable version (1.15.1) and the patched version (1.15.2). I found a commit with the message 'Disallow GET requests to /management/commands endpoint'. This commit modifies the ShellCommandsController.java file and changes the @RequestMapping for the command method to only allow POST requests, removing GET. This directly addresses the vulnerability as described. The vulnerable function is therefore org.apache.geode.management.internal.web.controllers.ShellCommandsController.command, which was processing the user-provided cmd parameter without sufficient validation, leading to the XSS vulnerability when accessed via a GET request.

Vulnerable functions

org.apache.geode.management.internal.web.controllers.ShellCommandsController.command

geode-web/src/main/java/org/apache/geode/management/internal/web/controllers/ShellCommandsController.java

The vulnerability lies in the `command` method of the `ShellCommandsController` class. Before the patch, this method accepted both GET and POST requests to the `/management/commands` endpoint. A Cross-Site Scripting (XSS) vulnerability existed because the `cmd` parameter, when passed via a GET request (e.g., through a malicious link), was not properly sanitized before being rendered in the response. This allowed an attacker to inject and execute arbitrary JavaScript code in the context of a logged-in user's browser. The fix mitigates this by removing support for GET requests, thus preventing the attack vector of a user clicking a specially crafted link.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-44088: Apache Geode web-api is vulnerable to Cross-site Scripting

CVE-2024-44088:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-44088: Apache Geode web-api is vulnerable to Cross-site Scripting

6.1

6.1

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI