Today we have released versions 4.2.1, 4.1.2, 4.0.2 and 3.7.3 of Nominatim which fix a cross-site scripting issue in the API.

As part of a feature request we were made aware that Nominatim’s debug output improperly quotes user input, so that any javascript code may be injected through the URL. The bug-fix releases fix this issue. Given that Nominatim does not handle sensitive user data, the severity is only medium even though it can be exploited very easily. You should update nonetheless, especially when running a Nominatim instance in a sensitive environment.

Updating is straightforward. Simply build and install the new version. If you are running a 4.1 installation, please check which patch version you are running. If you are on 4.1.99, then you need to update to 4.2.1 directly.