CVE-2024-2633

Vulnerability

Overview

CVE-2024-2633 is a reflected Cross-Site Scripting (XSS) vulnerability in Cegid Meta4 HR, affecting version 819.001.022 and earlier. The flaw resides in the /sitetest/english/dumpenv.jsp page, which does not properly sanitize the lang query parameter. An attacker can inject arbitrary HTML or JavaScript by crafting a malicious URL, such as /sitetest/english/dumpenv.jsp?snoop=yes&lang=%27%3Cimg%20src/onerror=alert(1)%3E&params [1]. This is categorized under CWE-79 [1].

Exploitation and

Attack Surface

The attack is performed remotely over the network without requiring authentication (CVSS v3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) [1]. The attacker must convince a user to click a crafted link, making it a reflected XSS requiring user interaction. The vulnerable page is part of a diagnostic suite (sitetest) that is not meant to be exposed to the Internet [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session theft, defacement, or redirection to malicious sites. The CVSS base score is 6.1 (Medium) reflecting low confidentiality and integrity impact, but the attack can be a stepping stone for further compromise [1].

Mitigation

Status

The vendor recommends removing the entire sitetest folder from Internet-facing web servers immediately [1]. Future releases of Cegid Meta4 HR will remove these diagnostic pages as they offer no real functionality. Affected organizations should apply this workaround until a permanent fix is available [1].