CVE-2024-44771

CVE-2024-44771 describes a Stored Cross-Site Scripting (XSS) vulnerability in BigID PrivacyPortal version 179. The bug originates from improper sanitization of the 'Label' field within the Report template function. An authenticated user can inject arbitrary JavaScript code into this field, which is then stored and executed in the context of other users' browsers when they view the affected report template [1].

Exploitation requires the attacker to have valid authentication credentials for the BigID PrivacyPortal application. The attack is carried out by crafting a report template and setting the Label parameter to include malicious JavaScript. When other authenticated users (including potentially administrators) access the same report template, the stored script executes within their browser session [1]. The application's purpose, as described in reference [2], is to serve as a privacy portal for data subject rights requests, consent management, and report generation, providing a large attack surface for stored XSS within these workflows.

The impact of successful exploitation is significant. An attacker can steal active session cookies, enabling session hijacking. This allows the attacker to impersonate the victim and perform unauthorized actions, such as adding new users, modifying system settings, stealing personal data from privacy reports, or launching targeted phishing attacks from within the trusted application context [1]. Since the XSS persists in the template, multiple victims can be affected each time they access the compromised report.

AppGate's Threat Advisory Services discovered the vulnerability and disclosed it responsibly to BigID. BigID has released a patch to address the issue; users are strongly advised to upgrade to a patched version of the software [1]. At the time of publication, there is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog. No workaround is mentioned beyond applying the vendor-supplied patch.