CVE-2024-51026

Vulnerability

Description

The NetAdmin IAM system (version 4.0.30319) is affected by a stored Cross-Site Scripting (XSS) vulnerability in the /BalloonSave.ashx endpoint. The endpoint fails to properly sanitize user input supplied through the Content= parameter, allowing an attacker to inject arbitrary JavaScript or HTML code [1]. This input is later served to users without adequate encoding, leading to script execution in the context of the victim's browser session.

Exploitation

Context

An attacker must be an authenticated user of the NetAdmin IAM system to reach the vulnerable endpoint [1]. The attack vector is network-based, requires low complexity, and user interaction is needed only to view the affected page (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N). Once the malicious payload is submitted, it is stored on the server and executed every time a legitimate user loads the vulnerable page [1].

Impact

Successful exploitation could allow the attacker to perform actions within the context of the victim's session, such as stealing session cookies, exfiltrating sensitive data, or performing administrative operations if the victim has elevated privileges. The CVSS score of 7.3 (High) reflects the potential for significant confidentiality and integrity impact, though availability is not affected [1].

Mitigation

Status

As of the advisory date, a fix is under homologation (testing/approval) by the vendor [1]. Until an official patch is released, organizations are advised to request an update from the vendor and implement input validation and output encoding controls to reduce the risk of exploitation [1].