CVE-2024-37828

Vulnerability

Overview

CVE-2024-37828 is a stored cross-site scripting (XSS) vulnerability found in Vermeg Agile Reporter version 23.2.1. The issue resides in the Set Broadcast Message module, where the Message field does not properly sanitize user input. An authenticated administrator can inject arbitrary HTML or JavaScript payloads, which are then stored and executed in the context of other users' sessions when they view the broadcast message [1].

Exploitation

Details

Exploitation requires an administrator account, as only privileged users have access to the Set Broadcast Message feature. To reproduce, the admin navigates to Settings > Administration > Product Update, selects “Set Broadcast Message,” and pastes a crafted payload (e.g., an ` tag with an onerror` event) into the Message field. After saving with a defined start and end time, the payload executes automatically on every page load for any user viewing the application [2].

Impact

Successful exploitation allows an attacker with admin privileges to execute arbitrary JavaScript in the browsers of other users. This can lead to session hijacking, defacement, or theft of sensitive data displayed in the application. The stored nature of the XSS means the payload persists until the broadcast message is removed or expires.

Mitigation

Vermeg's advisory does not currently mention a patch for the specific version, but users are advised to restrict admin panel access to trusted personnel and sanitize input in the Message field. Organizations using Agile Reporter should monitor vendor updates for a fix [1].