CVE-2024-2634

CVE-2024-2634 is a Cross-Site Scripting (XSS) vulnerability found in Meta4 HR, version 819.001.022 and earlier. The flaw resides in the /sse_generico/generico_login.jsp endpoint, where the lang query parameter is not properly sanitized before being reflected in the response. This allows an attacker to inject arbitrary HTML or JavaScript code. [1]

Exploitation requires no authentication but does require user interaction, as the victim must click on a crafted link. An attacker can deliver the malicious URL via phishing or other means. The vulnerability is exposed on internet-facing web servers, increasing the attack surface. [1]

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, information disclosure, or defacement. The CVSS v3.1 base score is 6.1 (Medium), with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, reflecting low confidentiality and integrity impact but scope change. [1]

According to the advisory, any product with all fixes applied after 2013 is not vulnerable to this XSS. Users are advised to update to a patched version or apply the necessary fixes. For environments where the application is exposed to the internet, removing the vulnerable pages from public access is recommended. [1]