CVE-2024-23604

Vulnerability

FitNesse all releases are affected by a cross-site scripting (XSS) vulnerability, tracked as CVE-2024-23604. The flaw exists in the handling of specially crafted multiple parameters in URLs. When a user accesses a link containing these parameters, the product does not properly sanitize the input, leading to script injection. No specific version is fixed; the developer notes that older versions will not receive patches [3][4].

Exploitation

An attacker can exploit this vulnerability by sending a crafted link with multiple malicious parameters to a user. The user must click the link while logged into or using FitNesse. No authentication or special privileges are required for the attacker; the attack is remote and unauthenticated. The user interaction is limited to clicking the link [3].

Impact

Successful exploitation allows an arbitrary script to execute in the context of the victim's web browser. This can lead to session hijacking, data theft, or other client-side attacks, potentially compromising the user's interaction with FitNesse. The CVSS v3 base score is 6.1, indicating medium severity, with impacts on confidentiality and integrity at a low level [3].

Mitigation

FitNesse recommends that users run the product in a secure, sandboxed development environment, restrict access to trusted users, and avoid exposure on public servers. The -lh command line argument can be used to limit connections to the local machine. Since the vulnerability affects all releases and no patch is provided for older versions, users should upgrade to the latest release (v20220319 fixed related XSS issues but not this one) and follow the security policy [3][4].