CVE-2024-7124

Vulnerability

Overview

CVE-2024-7124 is a reflected Cross-Site Scripting (XSS) vulnerability found in the DInGO dLibra web application developed by the Poznan Supercomputing and Networking Center (PCSS) [2][3]. The flaw originates from improper neutralization of user input provided via the filter parameter on the indexsearch endpoint. When an attacker crafts a malicious URL and tricks a victim into clicking it, the injected script executes in the victim's browser [1][2].

Exploitation

Path

An attacker does not need prior authentication to exploit this vulnerability; the attack vector relies solely on social engineering. The victim simply must visit a specially crafted link that includes the malicious filter parameter. The lack of proper input sanitization means the browser interprets the injected payload as part of the page's HTML or JavaScript, enabling script execution [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the user's session. This can lead to session hijacking, theft of sensitive data displayed on the page, or further phishing attacks. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) [2][3].

Mitigation

The vendor released version 6.3.20 which addresses the issue by properly sanitizing the filter parameter. Users should update immediately. There is no indication that this vulnerability is listed in the Known Exploited Vulnerabilities (KEV) catalog as of publication [1][2][3].