CVE-2024-24034

Vulnerability

Setor Informatica S.I.L version 3.0 is vulnerable to an open redirect via the hprinter parameter. The application fails to validate or sanitize user input passed to this parameter, allowing an attacker to inject a malicious URL that the application will redirect to. The vulnerability is present in the default installation of version 3.0 [1].

Exploitation

An attacker can exploit this vulnerability by crafting a URL that includes a malicious external domain in the hprinter parameter and sending it to a victim. No authentication is required, and the attack can be performed remotely via a simple HTTP GET request. The victim only needs to click the crafted link [1].

Impact

Successful exploitation leads to an open redirect, which can be used for phishing attacks, malware distribution, or bypassing URL-based security controls. The attacker gains the ability to direct users to arbitrary external sites, potentially leading to credential theft or further compromise [1].

Mitigation

As of the publication date (2024-02-08), no official patch or fixed version has been released. Users are advised to implement input validation for the hprinter parameter, or restrict redirect destinations to a whitelist of allowed domains. The vendor has not yet responded with a fix [1].