CVE-2024-39162

Vulnerability

CVE-2024-39162 is a stored cross-site scripting (XSS) vulnerability in pyspider through version 0.3.10, specifically in the /update endpoint of the web UI. The vulnerability stems from insufficient sanitization of user-supplied input, allowing attackers to inject malicious scripts that are later rendered in the browser of an authenticated victim [1][3].

Exploitation

An attacker can craft a malicious payload and submit it via the /update feature; the payload is stored and executed when a victim accesses affected pages. No special privileges beyond the ability to reach the web UI are required, though an authenticated victim must trigger the stored script. The web UI may operate without authentication or with weak HTTP Basic Authentication, lowering the barrier for initial access [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, defacement, or redirection to malicious sites. Because pyspider's web UI also permits script editing and task management, an XSS chain could potentially escalate to more severe actions if combined with other weaknesses [1][4].

Mitigation

The maintainer has archived the GitHub repository and is no longer providing patches. Users are strongly advised to deprecate use of pyspider or, if unavoidable, isolate the web UI with strong authentication and restrict network access to trusted hosts only [1][3].