OSGeo SpatialReference.org Cross-Site Scripting Vulnerability

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in OSGeo SpatialReference.org, affecting versions prior to May 17, 2025. The issue arises from inadequate sanitization of user input in the search query parameter, allowing attackers to inject malicious JavaScript that is executed in the context of the victim's browser. This vulnerability could be exploited to hijack sessions, steal data, or redirect users to harmful websites.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's session, with potential consequences including session hijacking, data theft, or redirection to malicious sites.

Reproduction

The vulnerability can be reproduced by sending a request to the '/ref/' search feature with a crafted search parameter that includes JavaScript payloads. The injected script will execute in the browser, demonstrating the XSS vulnerability.

Remediation

Users are advised to update to the latest version of OSGeo SpatialReference.org, as the vulnerability has been fixed in the version released on May 17, 2025.