CVE-2024-22490

Vulnerability

Overview

beetl-bbs version 2.0 contains a reflected cross-site scripting (XSS) vulnerability in the /index endpoint's keyword parameter [1][2]. This flaw allows an attacker to inject arbitrary web script or HTML into the page, which can be executed in the context of the victim's browser session.

Exploitation

A remote attacker can craft a malicious URL containing a payload (e.g., `) in the keyword` parameter. If a logged-in user clicks such a link, the injected script executes in their browser, effectively bypassing same-origin policy restrictions. No authentication or special preconditions are required beyond user interaction with the crafted link [2].

Impact

Successful exploitation can lead to session hijacking or credential theft. The reference notes that after user login, the application stores a cookie containing an MD5 hash of the user's password. If the XSS payload exfiltrates this cookie and the AES encryption key remains unchanged, an attacker could attempt to crack the MD5 hash to recover the plaintext password [2].

Mitigation

As of the publication date, no patch has been released for beetl-bbs 2.0. Users should apply input validation and output encoding for the keyword parameter, or upgrade to a patched version if made available. This CVE is listed in the NVD with enrichment data but has not yet received a CVSS score [1].