Multiple Vulnerabilities in Badger Meter's Monitool

Vulnerability

CVE-2024-1304 is a stored or reflected cross-site scripting vulnerability in Badger Meter Monitool, affecting versions up to and including 4.6.3. The vulnerability exists in an unspecified input field or parameter that does not properly sanitize user-supplied data. A remote attacker can craft a malicious JavaScript payload and deliver it to an authenticated user via a specially crafted request or link. The software will then execute the payload in the context of the authenticated user's session.

Exploitation

An attacker must be able to send a crafted request (e.g., via a malicious link or email) to an authenticated user of Monitool. The user must be logged into the application for the payload to execute. The attacker does not need prior authentication; they only need to induce an authenticated user to interact with the malicious payload (user interaction). The exploitation involves injecting JavaScript into a page that the victim views, leading to partial session hijacking.

Impact

Successful exploitation allows the attacker to partially hijack the victim's browser session. The CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L) indicates low impact on confidentiality, integrity, and availability. The attacker could perform actions on behalf of the victim, such as modifying application settings, extracting sensitive data displayed on the page, or redirecting the user to malicious sites. The scope is unchanged (same application context).

Mitigation

Badger Meter has resolved the vulnerability in Monitool version 4.7 and later [1]. Users should upgrade to 4.7 or a newer release. No workarounds are documented in the available reference. If upgrading is not immediately possible, restrict network access to the application and ensure all users are cautious of unsolicited links.