CVE-2024-36498
Description
Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL
https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre
The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. Version 7.40 implemented a fix, but it could be bypassed via URL-encoding the Javascript payload again.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Image Access Scan2Net's Edit Disclaimer Text allows privileged users to inject JavaScript that executes in ScanWizard, even in Kiosk-mode; fix in v7.40 bypassable via URL-encoding.
Vulnerability
Overview
CVE-2024-36498 is a stored cross-site scripting (XSS) vulnerability in the "Edit Disclaimer Text" function of Image Access Scan2Net firmware. The root cause is missing input sanitization, allowing an authenticated user with Poweruser or Admin privileges to inject arbitrary JavaScript. The vulnerable endpoint is accessible at /cgi/admin.cgi?-rdisclaimer+-apre [1].
Exploitation
An attacker with the required privileges can craft a JavaScript payload and submit it via the Edit Disclaimer Text function. While version 7.40 introduced a fix, it can be bypassed by URL-encoding the payload. Once stored, the malicious script executes every time the ScanWizard interface is loaded, including in Kiosk-mode browsers, ensuring broad exposure to other users [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other users' browsers. This can lead to session hijacking, data theft, defacement, or further attacks within the Scan2Net environment. The stored nature of the XSS means the payload persists until removed.
Mitigation
Image Access has addressed this vulnerability in firmware version 7.42B. Users are strongly advised to update to the latest firmware. As the vulnerability requires privileged access, organizations should also review user permissions and restrict access to the configuration menu [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.