CVE-2024-37161 – MeterSphere versions before 1.10.1-lts contain ... (How to Fix)

Q: What is the severity of CVE-2024-37161?

CVE-2024-37161 has a CVSS score of 4.0 (MEDIUM). MeterSphere versions before 1.10.1-lts contain a stored cross-site scripting (XSS) vulnerability in the step editor. This allows attackers to inject malicious scripts that execute in users' browsers when viewing affected content. Organizations using vulnerable MeterSphere instances are affected.

📋 TL;DR

MeterSphere versions before 1.10.1-lts contain a stored cross-site scripting (XSS) vulnerability in the step editor. This allows attackers to inject malicious scripts that execute in users' browsers when viewing affected content. Organizations using vulnerable MeterSphere instances are affected.

💻 Affected Systems

Products:

MeterSphere

Versions: All versions prior to 1.10.1-lts

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All MeterSphere deployments using affected versions are vulnerable if the step editor feature is accessible.

📦 What is this software?

Metersphere by Metersphere

View all CVEs affecting Metersphere →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware to users' systems.

🟠

Likely Case

Attackers with access to create/edit steps could inject scripts that steal session tokens or credentials from other users viewing those steps.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or edit steps in MeterSphere, typically requiring some level of authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.10.1-lts

Vendor Advisory: https://github.com/metersphere/metersphere/security/advisories/GHSA-6h7v-q5rp-h6q9

Restart Required: Yes

Instructions:

1. Backup your MeterSphere instance and database. 2. Update to version 1.10.1-lts using your deployment method (Docker, Kubernetes, or manual). 3. Restart the MeterSphere services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML/JavaScript content in step editor inputs

Content Security Policy

all

Implement strict Content Security Policy headers to restrict script execution

🧯 If You Can't Patch

Restrict access to step editor functionality to trusted users only
Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check if your MeterSphere version is below 1.10.1-lts in the system settings or about page

Check Version:

Check MeterSphere web interface or docker inspect metersphere/metersphere:latest

Verify Fix Applied:

After updating, verify the version shows 1.10.1-lts or higher and test step editor functionality

📡 Detection & Monitoring

Log Indicators:

Unusual step creation/modification patterns
Requests containing suspicious script tags or JavaScript in step editor endpoints

Network Indicators:

HTTP requests to step editor endpoints with encoded script payloads

SIEM Query:

source="metersphere" AND (uri_path="/api/step/" OR uri_path="/step/") AND (http_content CONTAINS "<script>" OR http_content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-37161

CVSS v3 Score: 4.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-79

Published: June 11, 2024

Last Updated: September 4, 2025

🔗 References

https://github.com/metersphere/metersphere/security/advisories/GHSA-6h7v-q5rp-h6q9 Exploit,Vendor Advisory
https://github.com/metersphere/metersphere/security/advisories/GHSA-6h7v-q5rp-h6q9 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37161, you might also want to check these: