CVE-2020-24912

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in all versions of QCubed (including 3.1.1) within profile.php. The flaw is caused by insufficient sanitization of the stQuery parameter, allowing an attacker to inject arbitrary HTML or JavaScript into the page response. [1]

Attack

Vector

An unauthenticated attacker can craft a malicious URL containing the XSS payload in the stQuery parameter. If a logged-in user visits this crafted URL, the injected script executes in the context of the victim's session. No authentication is required to trigger the vulnerability, as it is a reflected (non-persistent) XSS. [1]

Impact

Successful exploitation allows the attacker to steal session cookies (or other sensitive data) of authenticated users, potentially leading to account takeover. This is particularly dangerous because the attacker can operate without any prior authentication or privileges. [1]

Mitigation

Status

At the time of publication (March 2021), no official patch was available in a stable release. A pull request (PR #1320) was submitted to the QCubed GitHub repository that partially addresses the issue by adding input validation and using HtmlEntities() in certain profiler parameters, but it is unclear if this was merged into a subsequent release. [3] Users should apply input sanitization or disable the profiling functionality as a workaround. The project's official website (qcubed.com) appears to be inactive, suggesting the framework may no longer be maintained. [2][4]