CVE-2024-31946

Vulnerability

CVE-2024-31946 is a stored Cross-Site Scripting (XSS) vulnerability in Stormshield Network Security (SNS) appliances. The flaw resides in the email alert template feature. A user with write privileges on the email alerts page can inject arbitrary JavaScript into an alert email template [1]. This malicious script is then executed when another administrator previews that template [1].

Exploitation

Exploitation requires the attacker to have write access to the email alerts page on an affected SNS appliance. The attacker crafts a template containing JavaScript code. When another administrator (even with lower privileges) previews the template, the injected script executes in the context of the administrator's browser session [1]. The attack vector is local, requires high privileges to set up, but relies on convincing another administrator to preview the template (user interaction) [1].

Impact

The primary impact is confidentiality: an attacker can leverage the executed JavaScript to steal the previewing administrator's session cookies or other sensitive data visible in the browser, potentially gaining unauthorized access to the appliance's web interface at that administrator's privilege level. No integrity or availability impact is cited [1]. The official CVSS v3.1 score is 4.2 (Medium), with a local attack vector and high confidentiality impact [1].

Mitigation

The vulnerability affects SNS versions 3.7.0 through 3.7.41, 3.10.0 through 3.11.29, 4.0 through 4.3.24, and 4.4.0 through 4.7.4. It is fixed in versions 3.7.42, 3.11.30, 4.3.25, and 4.7.5 [1]. No workaround is available; users should upgrade to a patched version as soon as possible [1].