CVE-2024-28100
📋 TL;DR
CVE-2024-28100 is a cross-site scripting (XSS) vulnerability in eLabFTW that allows authenticated users to upload malicious files that execute JavaScript in visitors' browsers. This enables attackers to perform actions on behalf of victims, including creating API keys for persistence or performing administrative functions if the victim has sysadmin privileges. All eLabFTW instances running vulnerable versions are affected.
💻 Affected Systems
- eLabFTW
📦 What is this software?
Elabftw by Elabftw
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full sysadmin privileges, allowing system configuration changes, user management, and complete compromise of the eLabFTW instance and potentially underlying systems.
Likely Case
Regular users have their accounts compromised, leading to data theft, unauthorized experiment modifications, and creation of persistent backdoors via API keys.
If Mitigated
With proper network segmentation and limited user privileges, impact is contained to the eLabFTW application data only.
🎯 Exploit Status
Exploitation requires authenticated user access to upload files. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.0
Vendor Advisory: https://github.com/elabftw/elabftw/security/advisories/GHSA-xp3v-w8cx-cqxc
Restart Required: Yes
Instructions:
1. Backup your eLabFTW database and files. 2. Download eLabFTW version 5.0.0 or later from the official repository. 3. Replace the existing installation with the new version. 4. Restart the web server service. 5. Verify the upgrade was successful.
🧯 If You Can't Patch
- Disable file upload functionality for all users
- Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
🔍 How to Verify
Check if Vulnerable:
Check the eLabFTW version in the web interface footer or by examining the source code. Versions below 5.0.0 are vulnerable.Check Version:
grep -r "APP_VERSION" /path/to/elabftw/config/ or check web interface footerVerify Fix Applied:
Verify the version shows 5.0.0 or higher in the web interface footer and test that file uploads are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with JavaScript content
- Multiple API key creation events from single user sessions
- Administrative actions from non-admin users
Network Indicators:
- Unexpected JavaScript execution in file upload responses
- Suspicious outbound connections following file views
SIEM Query:
source="elabftw" AND (event="file_upload" AND file_type="javascript") OR (event="api_key_create" AND count>1)