CVE-2024-13597

Vulnerability

Description Internet Starter, a module of the SoftCOM iKSORIS system, is vulnerable to a Reflected Cross-Site Scripting (XSS) attack. The root cause is improper neutralization of user input during web page generation (CWE-79) [1]. A malicious script can be injected through a form on the login panel at /softcom/ and executed in the user's browser.

Exploitation

An attacker can exploit this by crafting a URL containing a malicious script and tricking a user into visiting it. The attack requires the victim to submit the form on the login panel, causing the malicious script to reflect back and execute in the user's session context. No prior authentication is needed for the initial injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the user's browser. This can lead to session hijacking, data theft, or further attacks within the iKSORIS application. The iKSORIS system is used by over 300 institutions in Poland, including museums, theaters, swimming pools, and tourist attractions [2], making this a notable supply-chain risk.

Mitigation

The vulnerability has been patched in iKSORIS version 79.0. Users are advised to update to this version immediately [1]. There is no indication of this CVE being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.