CVE-2024-26313
📋 TL;DR
Archer Platform 6.x contains a stored cross-site scripting (XSS) vulnerability that allows authenticated malicious users to inject and store malicious HTML/JavaScript in the application's data store. When other users access the compromised data through their browsers, the malicious code executes within the vulnerable application's context. This affects Archer Platform 6.x installations before the fixed releases.
💻 Affected Systems
- Archer Platform
📦 What is this software?
Archer by Archerirm
Archer by Archerirm
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise user accounts and data integrity.
Likely Case
Attackers with authenticated access could inject malicious scripts to steal session tokens or credentials from other users accessing the compromised data store.
If Mitigated
With proper input validation and output encoding, the risk is reduced to minimal, though the vulnerability still exists in unpatched systems.
🎯 Exploit Status
Exploitation requires authenticated access; stored XSS typically has low complexity once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.14 P2 HF2 (6.14.0.2.2) or 6.13 P3 HF1 (6.13.0.3.1)
Vendor Advisory: https://www.archerirm.community/t5/platform-announcements/archer-update-for-multiple-vulnerabilities/ta-p/717102
Restart Required: Yes
Instructions:
1. Download the patch from the Archer support portal. 2. Backup the Archer database and application files. 3. Apply the patch following Archer's update procedures. 4. Restart the Archer services. 5. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side input validation and output encoding for all user-supplied data in the Archer application.
Content Security Policy (CSP)
allDeploy a strict Content Security Policy to mitigate the impact of XSS attacks by restricting script execution.
🧯 If You Can't Patch
- Restrict user permissions to minimize the number of authenticated users who could exploit the vulnerability.
- Monitor application logs for suspicious activity related to data store modifications and script injections.
🔍 How to Verify
Check if Vulnerable:
Check the Archer Platform version via the Archer Control Panel or by examining the application files; versions before 6.14.0.2.2 or 6.13.0.3.1 are vulnerable.Check Version:
Check the Archer Control Panel or refer to the Archer documentation for version verification commands specific to your deployment.Verify Fix Applied:
After patching, verify the version is 6.14.0.2.2 or 6.13.0.3.1 or later, and test for XSS by attempting to inject scripts in data store fields to ensure they are sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to data store entries, especially those containing HTML or JavaScript code.
- Multiple failed login attempts followed by successful authentication and data store access.
Network Indicators:
- Unexpected outbound connections from user browsers to external domains after accessing Archer data.
- Increased traffic to data store endpoints from a single authenticated user.
SIEM Query:
Example: source="archer_logs" AND (event_type="data_store_modification" AND data CONTAINS "<script>" OR "javascript:")