CVE-2024-50800

An unauthenticated remote attacker crafts a URL containing a malicious JavaScript or HTML payload in the error parameter of the Smart4Web login page (e.g., `/smart4web/?error=<script>...</script>`). When a victim visits this crafted URL, the injected payload is reflected in the HTML response and executed in the victim's browser. The attacker can leverage this to perform phishing, redirection, content defacement, or malware distribution [CWE-79] [ref_id=1].

The vulnerable component is the login form's error parameter in the URL path `/smart4web/` [ref_id=1]. The advisory does not specify the exact server-side file or function responsible for rendering the error parameter.

The advisory does not include a patch diff, but the fix is described as version 5.0 20241004 and later [ref_id=1]. The remediation involves properly neutralizing or encoding user-controllable input placed into the error parameter before it is rendered in the HTML response, preventing script execution [CWE-79].

Navigate to the Smart4Web login page (`/smart4web/`) and attempt to log in with invalid credentials to trigger an error. Inject an HTML/JavaScript payload into the URL parameter immediately following `error=`. Upon visiting the crafted URL, the injected content is rendered in the HTML response [ref_id=1].