CVE-2024-33866

Vulnerability

A cross-site scripting (XSS) vulnerability exists in linqi for Windows versions prior to 1.4.0.1. The issue resides in the /api/DocumentTemplate/{GUID} endpoint, where user-supplied input in the GUID parameter is not properly sanitized before being reflected in the response. This allows an attacker to inject arbitrary JavaScript or HTML code.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a script payload in the GUID parameter. The victim must be tricked into clicking the crafted link or visiting a page that triggers the request. No authentication is required to reach the endpoint, but user interaction is necessary for the XSS to execute in the victim's browser.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, theft of sensitive data, defacement, or further attacks against the application and its users.

Mitigation

The vulnerability is resolved in linqi version 1.4.0.1 [2]. Users are strongly advised to upgrade to this version or later. No workarounds have been disclosed. The vendor has not listed this CVE on the KEV catalog.