CVE-2024-33748

Root

Cause

CVE-2024-33748 describes a cross-site scripting (XSS) vulnerability in the search function of Maven net.mingsoft MS Basic, affecting version 2.1.13.4 and earlier [1]. The flaw originates in the XssHttpServletRequestWrapper.clean method, which processes user input before the servlet. When an error occurs, the error page directly returns the code and msg exception information without proper sanitization, allowing an attacker to inject arbitrary JavaScript [2].

Attack

Vector

An attacker can exploit this vulnerability by crafting a malicious search query that triggers an error response. Because the error message reflects the attacker-controlled input without encoding, the injected script executes in the context of the victim's browser when the error page loads. No special privileges are required; the attack is accessible via the application's public search interface [2].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the browser of any user who views the affected error page. This could lead to session hijacking, credential theft, or defacement. The vulnerability is classified as medium severity with a CVSS v3.1 base score of 4.1, reflecting the need for user interaction but the ease of exploitation [1].

Mitigation

As of the advisory publication date (2024-05-07), MS Basic 2.1.13.4 and earlier were vulnerable, while version 2.1.26 and later appear to have addressed the issue [3]. Users should upgrade to the latest available version to remediate this XSS vulnerability. No official workaround has been documented [1][2].