CVE-2024-2596
📋 TL;DR
This is a Cross-Site Scripting (XSS) vulnerability in AMSS++ version 4.31 that allows remote attackers to inject malicious scripts via user-controlled input in the /amssplus/modules/mail/main/select_send.php endpoint. Attackers can steal authenticated users' session cookies by tricking them into clicking a specially crafted URL. Organizations using AMSS++ 4.31 are affected.
💻 Affected Systems
- AMSS++
📦 What is this software?
Amss\+\+ by Amss\+\+ Project
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to sensitive data, privilege escalation, and potential lateral movement within the system.
Likely Case
Session hijacking where attackers steal authenticated users' cookies to impersonate them and access their privileges within AMSS++.
If Mitigated
Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.
🎯 Exploit Status
Exploitation requires the victim to be authenticated and click a malicious link. The vulnerability is well-documented with specific parameters identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 4.31 (check vendor for specific version)
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amssplus-amss
Restart Required: No
Instructions:
1. Check the vendor advisory for patched version. 2. Backup current installation. 3. Upgrade AMSS++ to the patched version. 4. Test functionality after upgrade.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side input validation and proper output encoding for all user-controlled parameters in select_send.php
Content Security Policy
allImplement strict Content Security Policy headers to prevent script execution from untrusted sources
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads targeting the vulnerable endpoint
- Restrict access to /amssplus/modules/mail/main/select_send.php to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check if AMSS++ version is 4.31 by examining version files or admin interface. Test the select_send.php endpoint with XSS payloads in parameters.Check Version:
Check AMSS++ configuration files or admin dashboard for version informationVerify Fix Applied:
Verify the AMSS++ version is updated beyond 4.31. Test the select_send.php endpoint with XSS payloads to confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual parameter values in select_send.php requests containing script tags or JavaScript code
- Multiple failed authentication attempts followed by successful access
Network Indicators:
- HTTP requests to select_send.php with suspicious parameter values
- Outbound connections to external domains following access to the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri="/amssplus/modules/mail/main/select_send.php" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:")