Login Sign Up

CVE-2024-10090

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

CVE-2024-10090 is a reflected cross-site scripting (XSS) vulnerability in SoftCOM iKSORIS Internet Starter module. Attackers can trick users into submitting malicious scripts through user addition forms, executing arbitrary code in the victim's browser context. Organizations using vulnerable versions of iKSORIS systems are affected.

💻 Affected Systems

Products:
  • SoftCOM iKSORIS Internet Starter module
Versions: All versions before 79.0
Operating Systems: Any OS running iKSORIS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction - victims must be tricked into submitting malicious form data.

📦 What is this software?

Iksoris by Softcom.wroc

View all CVEs affecting Iksoris →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface through injected scripts.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Reflected XSS typically requires social engineering but has low technical complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 79.0

Vendor Advisory: https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html

Restart Required: Yes

Instructions:

1. Download version 79.0 or later from SoftCOM iKSORIS vendor. 2. Backup current installation. 3. Apply the update following vendor instructions. 4. Restart the iKSORIS service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Implement Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to filter malicious input.

Add Content Security Policy

all

Implement strict CSP headers to restrict script execution sources.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

  • Implement input validation and output encoding on all user-controllable inputs
  • Educate users about phishing risks and suspicious form submissions

🔍 How to Verify

Check if Vulnerable:

Check iKSORIS version in administration panel or configuration files. If version is below 79.0, system is vulnerable.

Check Version:

Check iKSORIS admin interface or configuration files for version information

Verify Fix Applied:

Confirm version is 79.0 or higher in administration panel and test form inputs with basic XSS payloads (e.g., <script>alert('test')</script>) to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual form submissions with script tags or JavaScript code
  • Multiple failed login attempts following suspicious form submissions

Network Indicators:

  • HTTP requests containing script tags or JavaScript in form parameters
  • Unusual redirects from iKSORIS forms

SIEM Query:

source="iKSORIS_logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-10090
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.17% exploit probability (37.9th percentile)
Published: April 14, 2025
Last Updated: October 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10090, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)