CVE-2024-4424

Vulnerability

Details The access control in CemiPark software fails to properly validate user-supplied input, enabling stored cross-site scripting (XSS) attacks. Parameters used for data entry lack appropriate sanitization, allowing attackers to inject HTML and JavaScript code [1][2]. This vulnerability affects versions 4.5, 4.7, 5.03, and potentially other unspecified versions. The vendor has not responded to attempts to disclose the issue, and the exact range of affected products remains unknown.

Exploitation and

Impact To exploit this vulnerability, an attacker must have the ability to input data into the system, such as through user registration or configuration fields. The injected script is stored on the server and executed in the context of any user's browser when viewing the affected page. No authentication may be required depending on the input vector, but typically some level of access is needed. Successful exploitation can lead to session hijacking, data theft, or defacement within the CemiPark web interface.

Mitigation

As of the publication date, no official patch or workaround has been released by the vendor. Users are advised to restrict network access to the CemiPark software and apply input validation measures at the application layer if possible. Given the lack of vendor response, organizations should consider upgrading to an alternative solution if the software is critical.