On February 2024, a significant security vulnerability was identified in Serenity CMS (before version 6.8.). Tracked as CVE-2024-26318, this flaw allows attackers to perform Cross-Site Scripting (XSS) attacks via specially crafted email links—posing a risk to users and sites running affected versions.
In this article, I’ll break down the vulnerability, show exactly how the exploit works with easy-to-understand code snippets, and provide you with sources and mitigation advice.
What’s the Problem?
Serenity’s login page (LoginPage.tsx) lets you redirect users to a return URL after login. However, before version 6.8., the application fails to verify that the return URL starts with a / (slash) character. This allows an attacker to pass a malicious URL parameter, leading to XSS.
Why Is This Dangerous?
Hackers can do a lot with XSS—like stealing user cookies, hijacking sessions, or injecting malicious scripts. If a user clicks on a tainted email login link, that’s enough to trigger the attack.
The Root Cause in the Code
The vulnerability is in the handling of the returnUrl parameter on the login page. Here’s a simplified version of the code in LoginPage.tsx before the patch:
// LoginPage.tsx - vulnerable version
function handleLoginSuccess() {
const returnUrl = new URLSearchParams(window.location.search).get("returnUrl");
if (returnUrl) {
window.location = returnUrl; // REDIRECTS with NO validation!
} else {
window.location = "/dashboard"; // Default
}
}
The problem:
No check ensures returnUrl starts with /. So ANY string is accepted—including javascript: or URLs with embedded scripts.
Step 1: Prepare a malicious link.
https://victim-serenity-site.com/login?returnUrl=javascript:alert('XSS')
Step 4: After successful login, Serenity runs
window.location = "javascript:alert('XSS')";
The page executes JavaScript—attack succeeded.
Exploit Demo
Here’s a real-world proof-of-concept XSS link. If you substitute the target domain with a live vulnerable site, this will spawn an alert box:
https://serenity.example.com/login?returnUrl=javascript:alert(document.domain)
Or with HTML data URL
https://serenity.example.com/login?returnUrl=data:text/html,<script>alert('XSS')</script>;
Remediation
Patch:
The fix is to make sure returnUrl starts with a / (making it a local redirect only)
// LoginPage.tsx - patched
function handleLoginSuccess() {
const returnUrl = new URLSearchParams(window.location.search).get("returnUrl");
if (returnUrl && returnUrl.startsWith("/")) {
window.location = returnUrl; // Only allow relative, site-local paths
} else {
window.location = "/dashboard"; // Default
}
}
Upgrade:
Upgrade to Serenity 6.8. or later, which applies this patch.
References
- GitHub Commit Fixing Issue
- Serenity CMS Releases
- NVD CVE-2024-26318 Detail
Final Words
CVE-2024-26318 is a textbook example of why developers must *never send user input straight into redirection or script contexts* without thorough checks. Fortunately, patching is simple and effective—so if you maintain a Serenity CMS install, update now.
Stay safe, and always validate your inputs!
*Written exclusively for you. If you found this helpful, share it to help others secure their sites!*
Timeline
Published on: 02/19/2024 04:15:07 UTC
Last modified on: 02/13/2025 17:13:39 UTC