CVE-2024-47947

The Edit Disclaimer Text function of the configuration menu in Image Access Scan2Net is vulnerable to stored cross-site scripting (XSS) due to missing input sanitization. An attacker with Poweruser or Admin privileges can inject arbitrary JavaScript code into the disclaimer text field, which is then stored on the server and served to other users without sanitization [1]. The vulnerable function is accessible at a specific URL under /cgi/admin.cgi, and the payload is executed every time the ScanWizard interface is loaded [1].

To exploit this vulnerability, an attacker must first obtain valid credentials for a Poweruser or Admin account. The attack vector is network-based, requiring access to the Scan2Net device's web interface. The stored JavaScript payload is delivered to all users who view the ScanWizard, including those in Kiosk-mode browsing contexts [1]. No additional user interaction beyond loading the page is required for the payload to execute, making it a persistent threat to any user accessing the application.

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, theft of sensitive data displayed in the interface, defacement of the application, or further actions that the victim's session permits [1]. Since Kiosk-mode browsers typically have restricted functionality, arbitrary script execution can break out of intended restrictions and compromise the display or data flow.

This vulnerability is part of a larger set of issues affecting Scan2Net firmware up to versions 7.40 and 7.42, with fixes primarily available in firmware version 7.42B [1]. Users should upgrade to the patched firmware version and restrict access to administrative functions to mitigate the risk of XSS attacks [1].