CVE-2024-22491

Vulnerability

Description Beetl BBS 2.0 contains a stored cross-site scripting (XSS) vulnerability in its post creation functionality. The post/save endpoint does not properly encode or filter the content parameter, allowing attackers to inject arbitrary web script or HTML [1][2]. While the jQuery serialize method provides some client-side encoding, it is insufficient to prevent server-side injection [2].

Attack

Vector and Exploitation An attacker can exploit this vulnerability by submitting a specially crafted payload in the content field when creating a new post or replying under an existing topic. The proof-of-concept payload `` demonstrates that injected JavaScript is stored and executed when other users view the affected post [2]. No authentication beyond normal forum access is required to submit posts, making the attack surface broad.

Impact and

Risks Successful exploitation leads to stored XSS, enabling an attacker to run arbitrary JavaScript in the context of any authenticated user viewing the malicious post. This can result in cookie theft, session hijacking, or defacement. Notably, the application's login cookie contains an MD5 hash of the user's password; if this cookie is leaked via XSS and the AES encryption key is unchanged, an attacker could attempt to crack the password hash offline [2].

Mitigation

Status As of the advisory, beetl-bbs v2.0 is affected, and the vendor has not released a patched version. Mitigation requires server-side input validation and output encoding for the content parameter, ensuring that user-supplied data is not interpreted as executable HTML or JavaScript [1][2]. No workaround or official fix is documented.