CVE-2024-54451

Vulnerability

Overview CVE-2024-54451 is a stored cross-site scripting (XSS) vulnerability in the graphicCustomization.do page of Kurmi Provisioning Suite, affecting versions before 7.9.0.38, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15 [2]. The root cause is improper neutralization of user input in the COMPONENT_fields(htmlTitle) field, which is later rendered in other application pages without sanitization [2].

Exploitation

Details Exploitation requires prior authentication as a system administrator [2]. The attacker must inject arbitrary web script or HTML into the COMPONENT_fields(htmlTitle) parameter on the graphic customization page [2]. The injected payload is then displayed for all users on other pages of the application, but only if a super-administrator has activated graphical customization [2]. This means the attack surface depends on administrative configuration.

Impact

A successful attack allows the authenticated admin to inject malicious scripts that execute in the context of any user viewing the affected pages [2]. This can lead to session hijacking, credential theft, or defacement, depending on the injected payload. The vulnerability is rated Medium severity with a CVSS v3 score of 4.8 [2].

Mitigation

Kurmi Software has addressed this vulnerability in Provisioning Suite versions 7.9.0.38, 7.10.0.18, and 7.11.0.15 [2]. Administrators should upgrade to these fixed versions. No workarounds are mentioned; activating graphical customization introduces the risk until the patch is applied.