CVE-2024-39610

Root

Cause

FitNesse releases prior to 20241026 contain a stored cross-site scripting (XSS) vulnerability [1][4]. The product fails to properly sanitize user-controlled input before rendering it in wiki pages, allowing an attacker to inject malicious scripts [4]. This is a classic XSS flaw (CWE-79) [4].

Attack

Vector

An unauthenticated attacker can inject a crafted script payload into a FitNesse page [1][4]. When another user (such as an administrator or a test engineer) views the page, the injected script executes in the context of their browser session [1]. No special network access is required; the attack can be performed remotely over HTTP [4]. The victim does not need to have administrative privileges for the script to run [1][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser [1]. This can be used to steal session cookies, deface the wiki, perform actions on behalf of the victim, or redirect the user to a malicious site. The CVSS v3.0 base score is 6.1 (Medium), reflecting a low impact to confidentiality and integrity and no impact to availability [4].

Mitigation

The vendor has fixed the vulnerability in FitNesse release 20241026 [2][4]. Users running earlier versions should update to this or a later release immediately [2][4]. The official download page and GitHub repository provide the patched standalone JAR [2][3]. No workarounds are documented; updating the software is the recommended solution [4].