CVE-2024-28804
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into Italtel i-MCS NFV web interface via POST requests. When other users view the affected pages, their browsers execute the injected scripts, potentially compromising their sessions or devices. Organizations running Italtel i-MCS NFV 12.1.0-20211215 are affected.
💻 Affected Systems
- Italtel i-MCS NFV
📦 What is this software?
I Mcs Nfv by Italtel
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to full system compromise.
Likely Case
Attackers steal session cookies or authentication tokens to gain unauthorized access to the NFV management interface, potentially modifying configurations or accessing sensitive data.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching users' browsers, preventing exploitation.
🎯 Exploit Status
Exploitation requires the ability to submit POST requests to vulnerable endpoints, which typically requires some level of access to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.gruppotim.it/it/footer/red-team.html
Restart Required: No
Instructions:
1. Contact Italtel support for patch availability. 2. If patch is available, download and apply according to vendor instructions. 3. Verify the fix by testing XSS payloads.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to filter malicious POST requests before they reach the application.
Input Validation Filter
allImplement server-side input validation to sanitize POST parameters before processing.
🧯 If You Can't Patch
- Restrict network access to the i-MCS NFV web interface using firewall rules to only trusted IP addresses.
- Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks.
🔍 How to Verify
Check if Vulnerable:
Test by submitting a harmless XSS payload like <script>alert('test')</script> via POST to application endpoints and check if it executes when viewing the page.Check Version:
Check the i-MCS NFV administration interface or configuration files for version information. Typically found in web interface footer or about page.Verify Fix Applied:
After applying fixes, retest with XSS payloads to ensure they are properly sanitized and do not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing script tags or JavaScript code in parameters
- Multiple failed login attempts followed by POST requests with encoded payloads
Network Indicators:
- HTTP POST requests containing <script>, javascript:, or encoded HTML entities to application endpoints
SIEM Query:
source="web_server_logs" AND (method="POST" AND (uri="*" AND (param="*<script>*" OR param="*javascript:*")))