Miggo Logo
Miggo Vulnerability Database
CVE-2024-44088

CVE-2024-44088: Apache Geode web-api is vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-44088
GHSA ID
GHSA-w595-4975-gm3h
EPSS Score
-
CWE
CWE-79
Published
10/14/2025
Updated
10/14/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.geode:geode-web-apimaven>= 1.1.0, < 1.15.21.15.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a Cross-Site Scripting (XSS) issue in the Apache Geode web-api. The description mentions that an attacker can trick a logged-in user into clicking a specially-crafted link, which is a typical vector for reflected XSS and usually involves a GET request. I analyzed the commits between the vulnerable version (1.15.1) and the patched version (1.15.2). I found a commit with the message 'Disallow GET requests to /management/commands endpoint'. This commit modifies the ShellCommandsController.java file and changes the @RequestMapping for the command method to only allow POST requests, removing GET. This directly addresses the vulnerability as described. The vulnerable function is therefore org.apache.geode.management.internal.web.controllers.ShellCommandsController.command, which was processing the user-provided cmd parameter without sufficient validation, leading to the XSS vulnerability when accessed via a GET request.

Vulnerable functions

org.apache.geode.management.internal.web.controllers.ShellCommandsController.command
geode-web/src/main/java/org/apache/geode/management/internal/web/controllers/ShellCommandsController.java
The vulnerability lies in the `command` method of the `ShellCommandsController` class. Before the patch, this method accepted both GET and POST requests to the `/management/commands` endpoint. A Cross-Site Scripting (XSS) vulnerability existed because the `cmd` parameter, when passed via a GET request (e.g., through a malicious link), was not properly sanitized before being rendered in the response. This allowed an attacker to inject and execute arbitrary JavaScript code in the context of a logged-in user's browser. The fix mitigates this by removing support for GET requests, thus preventing the attack vector of a user clicking a specially crafted link.

WAF Protection Rules

WAF Rule

M*li*ious s*ript inj**tion ('*ross-sit* S*riptin*') vuln*r**ility in *p**** **o** w**-*pi (R*ST). T*is vuln*r**ility *llows *n *tt**k*r t**t tri*ks * lo****-in us*r into *li*kin* * sp**i*lly-*r**t** link to *x**ut* *o** on t** r*turn** p***, w*i** *o

Reasoning

T** vuln*r**ility is * *ross-Sit* S*riptin* (XSS) issu* in t** *p**** **o** w**-*pi. T** **s*ription m*ntions t**t *n *tt**k*r **n tri*k * lo****-in us*r into *li*kin* * sp**i*lly-*r**t** link, w*i** is * typi**l v**tor *or r**l**t** XSS *n* usu*lly