CVE-2025-50690
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-13

Last updated on: 2025-08-13

Assigner: MITRE

Description
A Cross-Site Scripting (XSS) vulnerability exists in SpatialReference.org (OSGeo/spatialreference.org) versions prior to 2025-05-17 (commit 2120adfa17ddd535bd0f539e6c4988fa3a2cb491). The vulnerability is caused by improper handling of user input in the search query parameter. An attacker can craft a specially formed URL with malicious JavaScript code, which is then reflected back and executed in the victim's browser. This flaw allows an attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, phishing attacks, data theft, or redirection to malicious sites. The issue is exposed on publicly accessible pages, making it exploitable by an unauthenticated attacker.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-13
Last Modified
2025-08-13
Generated
2026-05-27
AI Q&A
2025-08-13
EPSS Evaluated
2026-05-25
NVD
CVE-2025-50690
EUVD
EUVD-2025-24636
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osgeo spatialreference.org *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-50690 is a Reflected Cross-Site Scripting (XSS) vulnerability in SpatialReference.org versions prior to 2025-05-17. It occurs because the site improperly handles user input in the search query parameter by inserting it directly into the page's HTML using innerHTML without sanitization. This allows an attacker to craft a malicious URL that injects and executes arbitrary JavaScript in the victim's browser when they visit the URL, potentially leading to session hijacking, phishing, data theft, or redirection to malicious sites. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to execute arbitrary JavaScript in your browser context when you visit a maliciously crafted URL on SpatialReference.org. This can lead to session hijacking, where attackers steal your session cookies; phishing attacks by redirecting you to fake sites; theft of sensitive data; alteration of page content to deceive you; or forcing you to perform unintended actions. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the /ref/ search feature of SpatialReference.org for reflected XSS. You can craft a URL with a JavaScript payload in the search query parameter and observe if it executes in the browser. For example, you can use curl or a browser to request a URL like: https://spatialreference.org/ref/?search=<script>alert(1)</script> and check if an alert box appears. Alternatively, use browser developer tools or automated scanners that detect reflected XSS by injecting test scripts into input parameters and monitoring the response for script execution. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include sanitizing and encoding all user input before inserting it into HTML, avoiding the use of innerHTML for untrusted content and using textContent instead, employing frameworks or templating engines that automatically handle escaping, and implementing a Content Security Policy (CSP) to limit the impact of injected scripts. Additionally, update SpatialReference.org to the fixed version released after 2025-05-17. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart