CVE-2024-28128

Vulnerability

Overview

CVE-2024-28128 is a cross-site scripting (XSS) vulnerability in FitNesse, the integrated acceptance testing wiki. The flaw exists in all releases prior to the 20220319 version [1][4]. An attacker can inject arbitrary client-side scripts by crafting a link with a specially designed certain parameter. When a victim using FitNesse accesses that link, the injected script executes in their browser [1][4].

Attack

Vector

No authentication is required for exploitation, making the attack surface broad. The attacker simply needs to convince a logged-in FitNesse user to click a malicious link [1][4]. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries a CVSS v3 base score of 6.1 (Medium) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating low complexity, network access, and required user interaction [4].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's session. This can lead to session hijacking, defacement, or theft of sensitive data displayed on the wiki pages [1][4]. The vulnerability is part of a series of FitNesse issues published simultaneously, including other XSS (CVE-2024-23604), XXE (CVE-2024-28039), and OS command injection (CVE-2024-28125) flaws, but CVE-2024-28128 specifically stems from insufficient input sanitization of a single parameter [4].

Mitigation

The vendor resolved the issue in FitNesse release 20220319 [1][4]. Users running older versions should upgrade immediately to the latest release available from the official FitNesse download page or GitHub repository [2][3]. No workaround has been documented, so updating is the only reliable fix [4].