CVE-2024-13598
📋 TL;DR
This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Internet Starter module of SoftCOM iKSORIS systems. Attackers can create malicious form fields that execute scripts when users fill them, potentially stealing session cookies or performing actions as the victim. Organizations using vulnerable versions of iKSORIS systems are affected.
💻 Affected Systems
- SoftCOM iKSORIS system with Internet Starter module
📦 What is this software?
Iksoris by Softcom.wroc
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, gain full system access, modify configurations, steal sensitive data, or deploy ransomware.
Likely Case
Attackers would steal user session cookies to impersonate legitimate users, potentially accessing their data and performing unauthorized actions within the system.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute malicious scripts, limiting impact to failed exploitation attempts.
🎯 Exploit Status
Exploitation requires user interaction (filling a malicious form) but the attack technique is well-known and simple to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 79.0
Vendor Advisory: https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html
Restart Required: Yes
Instructions:
1. Download version 79.0 or later from the vendor. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the iKSORIS service. 5. Verify functionality.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize form field parameters
Implement input validation in form processing code to strip or encode <, >, &, ", ' characters
Content Security Policy
allImplement CSP headers to restrict script execution
Add header: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Disable or restrict access to the Internet Starter module form creation functionality
- Implement web application firewall (WAF) rules to block XSS payloads in form parameters
🔍 How to Verify
Check if Vulnerable:
Check if Internet Starter module version is below 79.0 and test form field creation with XSS payloads like <script>alert('test')</script>Check Version:
Check iKSORIS administration panel or consult vendor documentation for version informationVerify Fix Applied:
After patching, test the same XSS payloads in form fields and verify they are properly encoded or blocked📡 Detection & Monitoring
Log Indicators:
- Unusual form submissions with script tags or JavaScript code in parameters
- Multiple failed login attempts from new sessions
Network Indicators:
- HTTP requests containing <script> tags or JavaScript in form parameters
- Unusual redirects to external domains
SIEM Query:
source="web_logs" AND (http_uri="*<script>*" OR http_params="*javascript:*" OR http_params="*onerror=*" OR http_params="*onload=*")