CVE-2023-49574
📋 TL;DR
This vulnerability in VX Search Enterprise allows attackers to inject malicious JavaScript payloads through the job_name parameter in the /add_job endpoint. When exploited, this stored XSS can execute arbitrary code in users' browsers when they view affected pages. Organizations using VX Search Enterprise version 10.2.14 are affected.
💻 Affected Systems
- VX Search Enterprise
📦 What is this software?
Vx Search by Flexense
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to complete system compromise.
Likely Case
Attackers with access to the application could inject malicious scripts that steal session cookies or credentials from other users, leading to unauthorized access and potential data exfiltration.
If Mitigated
With proper input validation and output encoding, the malicious payloads would be neutralized, preventing script execution while maintaining application functionality.
🎯 Exploit Status
Exploitation requires the ability to create or modify jobs in the system, suggesting some level of access is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for latest version
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-vx-search-enterprise
Restart Required: Yes
Instructions:
1. Check current VX Search Enterprise version
2. Contact Flexense for patch information
3. Apply vendor-provided patch
4. Restart VX Search Enterprise service
5. Verify the fix by testing XSS payloads
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize job_name parameter by removing or encoding special characters
Implement input validation in application code: job_name = sanitize_input(request.POST['job_name'])
Output Encoding
allApply proper output encoding when displaying job names in web pages to prevent script execution
Use HTML entity encoding: encoded_name = html.escape(job_name)
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Restrict access to the VX Search Enterprise interface to trusted users only
🔍 How to Verify
Check if Vulnerable:
Test by creating a job with a payload like <script>alert('XSS')</script> in the job_name field and check if it executes when viewing the jobCheck Version:
Check VX Search Enterprise about dialog or configuration files for version informationVerify Fix Applied:
Attempt the same XSS payload after patching and verify it does not execute (appears as plain text)📡 Detection & Monitoring
Log Indicators:
- Unusual job creation/modification events
- HTTP requests to /add_job with script tags or JavaScript in parameters
Network Indicators:
- HTTP traffic containing script tags or JavaScript code in job_name parameter
SIEM Query:
source="vxsearch.log" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")