CVE-2024-3687

Vulnerability

Overview

CVE-2024-3687 describes a stored cross-site scripting (XSS) vulnerability in the comment handler of bihell Dice version 3.1.0. The application fails to properly sanitize user-supplied input when submitting comments, allowing an attacker to inject arbitrary HTML and JavaScript code that is stored and later executed when the page is viewed [1].

Exploitation

An attacker can exploit this vulnerability by submitting a comment containing a malicious payload, such as ``, through the comment form. The attack is performed remotely and does not require authentication, as the comment submission feature is publicly accessible. The injected script executes when any user, including administrators, visits the page containing the comment, leading to a stored XSS scenario [1].

Impact

Successful exploitation can result in the theft of sensitive information, including session tokens, cookies, and personal data. The reference specifically notes that an attacker could steal an administrator's cookie, potentially leading to account takeover and further compromise of the Dice CMS instance [1].

Mitigation

No official patch has been released by the vendor at the time of disclosure. The reference recommends implementing output encoding, input validation and sanitization, and a Content Security Policy (CSP) to mitigate the risk. Users of Dice 3.1.0 should apply these defensive measures or consider upgrading if a fixed version becomes available [1].