CVE-2024-29318

5.4 MEDIUM

Cross-Site Scripting

📋 TL;DR

Volmarg Personal Management System 1.4.64 contains a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript via uploaded SVG files. This affects all users of the vulnerable version who can upload files, potentially compromising other users who view the malicious content.

💻 Affected Systems

Products:

• Volmarg Personal Management System

Versions: 1.4.64

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires file upload functionality to be enabled and accessible to attackers.

📦 What is this software?

Personal Management System by Personal Management System

View all CVEs affecting Personal Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Session hijacking leading to unauthorized access to personal management data and potential account compromise.

🟢

If Mitigated

Limited impact with proper input validation and content security policies in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload SVG files, which typically requires some level of access to the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for updated version from official sources
2. Apply security patches if available
3. Review and implement workarounds

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure the application to reject SVG file uploads entirely

Copy

Modify file upload configuration to block .svg extensions

Implement Content Security Policy

all

Add CSP headers to prevent execution of inline JavaScript

Copy

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

• Restrict file upload permissions to trusted users only
• Implement web application firewall rules to detect and block malicious SVG uploads

🔍 How to Verify

Check if Vulnerable:

Copy

Test by uploading an SVG file containing JavaScript code and checking if it executes when viewed

Check Version:

Copy

Check application version in admin panel or configuration files

Verify Fix Applied:

Copy

Attempt the same SVG upload test after implementing controls; JavaScript should not execute

📡 Detection & Monitoring

Log Indicators:

• Unusual SVG file uploads
• Multiple failed upload attempts
• Requests to uploaded SVG files

Network Indicators:

• SVG files containing JavaScript patterns in upload traffic

SIEM Query:

Copy

source="web_server" AND (file_extension=".svg" OR content="<script")

📊 Metadata

CVE ID: CVE-2024-29318

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: July 5, 2024

Last Updated: March 13, 2025

🔗 References

• https://github.com/b-hermes/vulnerability-research/tree/main/CVE-2024-29318 Exploit
• https://github.com/b-hermes/vulnerability-research/tree/main/CVE-2024-29318 Exploit

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29318, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)

CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)

CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)