CVE-2024-45879

Vulnerability

Analysis

The file upload function in baltic-it TOPqw Webportal's QWKalkulation tool, located at /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to stored Cross-Site Scripting (XSS). The vulnerability exists because user-supplied file names or metadata are insufficiently sanitized before being rendered in the application UI, allowing an attacker to inject persistent malicious JavaScript into the 'QWKalkulation' menu [1]. This issue affects version 1.35.287.1 and was fixed in version 1.35.291.

Attack

Vector and Prerequisites

To exploit this vulnerability, an attacker must first authenticate to the TOPqw Webportal. Once logged in, the attacker can upload a file containing malicious JavaScript via the vulnerable upload form. The injected script is then permanently stored and executed whenever a user views the affected menu [1]. The attack requires valid credentials, but the authenticated surface means any user with access could potentially place XSS payloads.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other authenticated users' browsers. This could lead to session hijacking, credential theft, or defacement within the portal. Given that TOPqw Webportal stores sensitive personal information and confidential social services documents [1], the impact includes unauthorized data access or further escalation within the application.

Mitigation

bit baltic information technologies GmbH has released version 1.35.291 which addresses this issue. All users of the affected version should upgrade immediately. No workarounds have been published, and there are no reports of exploitation in the wild as of the advisory date [1].