CVE-2024-44088

Published Oct 14, 2025

Last updated 6 months ago

CVSS medium 6.1

Overview

Description
Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information and even account takeover. This issue affects Apache Geode: all versions prior to 1.15.2 Users are recommended to upgrade to version 1.15.2, which fixes the issue.
Source
security@apache.org
NVD status
Analyzed
Products
geode

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

security@apache.org
CWE-79

Social media

Hype score
Not currently trending

  1. CVE-2024-44088 Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user i… https://t.co/yZW5Hz1JK4

    @CVEnew

    14 Oct 2025

    192 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This issue affects Apache Geode: versions 1.10 through 1.15.1 Users are recommended to upgrade to version 1.15.2, which fixes the issue.CVE-2025-47410
  2. Apache Tomcat Improper Privilege Management VulnerabilityCVE-2020-1938
  3. Docker Desktop Community Edition Privilege Escalation VulnerabilityCVE-2019-15752

References

Sources include official advisories and independent security research.