CVE-2024-36494

Description

The login page of Image Access Scan2Net devices, specifically the endpoint /cgi/slogin.cgi, is vulnerable to cross-site scripting (XSS) due to improper input sanitization of the -tsetup+-uuser parameter. This flaw allows an attacker to inject arbitrary JavaScript that executes in the browser of any user who accesses the crafted login page. The root cause is missing input validation on a POST parameter that is reflected in the page content.

Exploitation

The attack requires that the target user is not already logged in, because the vulnerable login page is only served to unauthenticated visitors. This limitation makes the vulnerability particularly suited for phishing attacks. An attacker can craft a malicious link or form that directs a victim to the login page with a payload embedded in the parameter. When the victim visits the URL, the injected script runs in their browser context, potentially capturing credentials or performing other malicious actions.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal session cookies, redirect users to attacker-controlled sites, or perform actions on behalf of the victim within the application. The XSS can also be leveraged to deface the login page or harvest credentials through a convincing login form overlay [1].

Mitigation

The vulnerability is addressed in firmware version v7.42B of the Scan2Net platform. All versions prior to this fix are affected. Users should update their devices to the latest firmware to remediate the issue. No workarounds are mentioned in the advisory, so applying the patch is the recommended course of action. This CVE is part of a larger set of vulnerabilities discovered by researchers at SEC Consult [1].