CVE-2024-49503

Root

Cause CVE-2024-49503 is an Improper Neutralization of Input During Web Page Generation vulnerability, commonly known as Cross-Site Scripting (XSS), found in the SUSE Manager web interface. Specifically, the Organization Credentials sub-page of the Setup Wizard does not properly sanitize user-supplied input before reflecting it in the page output. This allows an attacker to inject malicious JavaScript code that executes in the context of an authenticated administrator's browser session. The flaw affects SUSE Manager Server Module 4.3 versions before 4.3.42-150400.3.52.1 and the container image suse/manager/5.0/x86_64/server:5.0.2.7.8.1 before 5.0.15-150600.3.10.2. The bug was reported by Paolo Perego, who also provided a proof-of-concept attachment in the bug report [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that contains the XSS payload in the parameters processed by the Organization Credentials form. The attacker would then need to trick an authenticated SUSE Manager administrator into visiting that crafted link. Since the input is not neutralized, the payload is reflected back to the browser and executed. The CVSS v4.0 score assigned to this vulnerability is 4.6 (Medium), with the attack vector being network-based, low attack complexity, high privileges required (for the victim), and user interaction required. The CVSS v3.1 base score is 3.5 (Low), reflecting the need for an authenticated session and social engineering [1].

Impact

Upon successful exploitation, the attacker can execute arbitrary JavaScript in the victim's browser within the context of the SUSE Manager web application. This can lead to partial compromise of confidentiality and integrity of the scope, such as performing actions on behalf of the administrator, stealing session cookies, or modifying page content. However, the impact is limited because the attacker requires a high-privileged user (admin) to trigger the script, and the execution is constrained to the affected sub-page. The vulnerability itself does not allow server-side code execution or data exfiltration beyond what the victim's session permits.

Mitigation

SUSE has released a security update (SUSE-SU-2024:4009-1) that remediates this vulnerability along with two other CVEs (CVE-2024-47533, CVE-2024-49502) and additional security fixes. Administrators are advised to update SUSE Manager Server Module to version 4.3.42-150400.3.52.1 or later, and the container image to version 5.0.15-150600.3.10.2 or later. The update is considered critical by SUSE due to the combined fixes, but CVE-2024-49503 itself is rated low severity. No workarounds are documented; the recommended action is prompt patching.