CVE-2023-54343

Vulnerability

Overview

QWE DL v2.0.1, an iOS mobile web application for file management, suffers from a persistent cross-site scripting (XSS) vulnerability due to improper input validation in the path parameter [1][3]. The web application's GCDWebUploader component fails to sanitize user-supplied input, allowing attackers to inject arbitrary script code that is stored and later served to other users [1].

Exploitation

The vulnerability can be exploited remotely by manipulating the path parameter in requests to the web interface. No authentication is required, making it accessible to any attacker who can reach the application's network endpoint [1][3]. However, the attack requires low user interaction, as the victim must navigate to the affected page where the malicious script is stored [1].

Impact

Successful exploitation enables persistent XSS attacks, potentially leading to session hijacking and manipulation of application modules [1][3]. The attacker could steal session tokens, perform actions on behalf of the victim, or modify the application's behavior. The CVSS v3 score is 6.4 (Medium), reflecting the moderate severity [3].

Mitigation

The vulnerability was disclosed in July 2023, but vendor responsiveness is unclear from the advisory [1]. As of the latest available version (2.0.1, last updated April 2016), no official patch has been confirmed [2]. Users should consider limiting exposure by restricting network access to the application and monitoring for suspicious activity [1].