CVE-2024-34923

Vulnerability

Overview

A reflected cross-site scripting (XSS) vulnerability exists in Avocent DSR2030 Appliance firmware versions prior to 03.07.01.23 and SVIP1020 Appliance firmware versions prior to 01.07.00.00 [1][2]. Reflected XSS occurs when an application does not properly validate or encode user-supplied data included in HTTP responses, enabling an attacker to inject malicious scripts into a victim's browser [2].

Attack

Vector and Prerequisites

Attackers can craft a malicious URL containing XSS payloads that, when clicked by an authenticated or unauthenticated user (depending on application context), will execute arbitrary HTML or JavaScript within the victim's session. No special network access beyond standard web traffic is required; the attack relies on social engineering to trick users into visiting the crafted link [2].

Impact

Successful exploitation allows an attacker to perform actions such as altering the displayed page content, redirecting the victim to attacker-controlled sites, stealing session credentials, or in some cases exploiting browser vulnerabilities to achieve code execution [2]. The CVSS v3 base score is 6.1 (Medium).

Mitigation

Avocent has released firmware updates to address the issue: version 03.07.01.23 for DSR2030 and version 01.07.00.00 for SVIP1020 [1][2]. Users should upgrade immediately to the fixed versions.