CVE-2024-22718 – This is a Cross-Site Scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-22718?

CVE-2024-22718 has a CVSS score of 9.6 (CRITICAL). This is a Cross-Site Scripting (XSS) vulnerability in Form Tools 3.1.1 that allows attackers to inject malicious scripts via the client_id parameter in URLs. Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users. All installations of Form Tools 3.1.1 with the vulnerable component accessible are affected.

📋 TL;DR

This is a Cross-Site Scripting (XSS) vulnerability in Form Tools 3.1.1 that allows attackers to inject malicious scripts via the client_id parameter in URLs. Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies or performing actions on behalf of authenticated users. All installations of Form Tools 3.1.1 with the vulnerable component accessible are affected.

💻 Affected Systems

Products:

Form Tools

Versions: 3.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation of Form Tools 3.1.1 with the vulnerable component accessible via web interface is affected. The vulnerability is in the client_id parameter handling.

📦 What is this software?

Form Tools by Formtools

View all CVEs affecting Form Tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the Form Tools application, access all form data, and potentially pivot to internal systems.

🟠

Likely Case

Attackers steal user session cookies, access form submissions containing sensitive data, and perform unauthorized actions within the application.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails to execute malicious scripts, limiting impact to attempted exploitation logs.

🌐 Internet-Facing: HIGH - Web applications with XSS vulnerabilities are prime targets for internet-based attackers who can craft malicious URLs and trick users into clicking them.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this, though attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity. Attackers need to craft malicious URLs containing JavaScript payloads and trick users into visiting them.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Check Form Tools vendor website for security updates. 2. If patch exists, download and apply according to vendor instructions. 3. Verify the fix by testing the vulnerable parameter with XSS payloads.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement server-side validation of client_id parameter and properly encode all output to prevent script execution.

Implement input validation in affected PHP files: filter_var($client_id, FILTER_VALIDATE_INT) or similar validation
Use htmlspecialchars() or equivalent output encoding when displaying client_id values

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block requests containing suspicious patterns in the client_id parameter.

Configure WAF to block requests with: client_id parameter containing <script>, javascript:, or other XSS indicators

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution sources
Disable or restrict access to the vulnerable component if not essential for operations

🔍 How to Verify

Check if Vulnerable:

Test by accessing the vulnerable URL with client_id parameter containing a simple XSS payload like <script>alert('test')</script> and check if script executes.

Check Version:

Check Form Tools version in admin interface or review installation files for version information.

Verify Fix Applied:

Retest with the same XSS payloads after applying fixes. The payload should be displayed as plain text or blocked, not executed as JavaScript.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with client_id parameter containing script tags, javascript: protocol, or other XSS indicators
Unusual parameter values in client_id field

Network Indicators:

HTTP requests with suspicious patterns in URL parameters
Outbound connections to unexpected domains following form submissions

SIEM Query:

source="web_logs" AND (uri="*client_id=*<script>*" OR uri="*client_id=*javascript:*" OR uri="*client_id=*onerror=*")

📊 Metadata

CVE ID: CVE-2024-22718

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: April 11, 2024

Last Updated: April 8, 2025

🔗 References

https://hakaisecurity.io/error-404-your-security-not-found-tales-of-web-vulnerabilities/ Exploit,Third Party Advisory
https://hakaisecurity.io/error-404-your-security-not-found-tales-of-web-vulnerabilities/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22718, you might also want to check these: