CVE-2024-48461

Vulnerability

Overview

CVE-2024-48461 describes multiple cross-site scripting (XSS) vulnerabilities in the TeslaLogger Admin Panel, affecting versions prior to v1.59.6. The root cause is improper validation and sanitization of user-supplied input, particularly in the "New Journey" field and other parameters, allowing both stored and reflected XSS attacks [2].

Exploitation

An attacker can exploit the stored XSS by injecting a malicious payload into the "New Journey" field via the /admin/journeys.php endpoint. This payload is stored and executed whenever another user views the journey list. Reflected XSS is also present in endpoints such as /admin/abrp.php and /wakeup.php, where input parameters are not sanitized, allowing immediate script execution in the victim's browser [2]. No authentication is required for the reflected XSS; the stored XSS requires access to the admin panel but can affect other users.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session cookie theft, web page defacement, account takeover, or other malicious actions within the application's domain [2].

Mitigation

The vulnerability has been fixed in version 1.59.6 of TeslaLogger, as noted in the project's changelog [1]. Users should update to the latest version to mitigate the risk. No workarounds are mentioned.