CVE-2024-42852

Vulnerability

Description A reflected cross-site scripting (XSS) vulnerability exists in AcuToWeb server version 10.5.0.7577C8b. The flaw is located in the index.php component, specifically within the portgw parameter. Input to this parameter is insufficiently sanitized; only double quotes and angle brackets are escaped, allowing an attacker to break out of the current script context and inject arbitrary JavaScript code [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing a payload in the portgw parameter, such as http://ip:port/?portgw=80089948;%20alert(1). When a webmaster or administrator visits this URL, the injected script executes in the context of their browser session [1]. No authentication is required for exploitation, and the attack can be delivered via email, social engineering, or other means.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, credential theft, or other client-side attacks. Since the vulnerability affects the administrative interface, an attacker could potentially gain elevated access or manipulate server settings [1].

Mitigation

As of publication, no official patch has been released by OpenText, the vendor. The researcher reported the issue in January 2024 but received no response. Users are advised to restrict network access to the AcuToWeb server, implement web application firewall (WAF) rules to filter malicious payloads, or consider migrating to an alternative solution [1].