CVE-2024-25503

Vulnerability

Overview

CVE-2024-25503 is a Cross-Site Scripting (XSS) vulnerability found in Advanced REST Client version 17.0.9. The flaw resides in the 'edit details' parameter of the New Project function, where insufficient input sanitization enables an attacker to inject arbitrary script code [1].

Exploitation

The vulnerability can be exploited by a remote attacker who crafts a malicious script and submits it through the 'edit details' field. The attack does not require prior authentication; however, it likely depends on user interaction, such as a victim viewing the crafted project details within the application [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the affected user's session. This can lead to sensitive information disclosure, including session tokens, API keys, or other data accessible within the application, and could facilitate further attacks like account takeover [1].

Mitigation

As of the publication date (April 4, 2024), no official patch has been announced. Users are advised to avoid using the 'edit details' feature with untrusted input or to apply input validation/encoding until a fix is released by the vendor [1].