CVE-2024-30115
📋 TL;DR
This vulnerability in HCL Leap allows attackers to inject malicious scripts into web applications through the HTML widget. The insufficient sanitization enables cross-site scripting (XSS) attacks that could affect any users accessing vulnerable HCL Leap applications. Organizations using HCL Leap with HTML widgets are potentially affected.
💻 Affected Systems
- HCL Leap
📦 What is this software?
Domino Leap by Hcltech
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal user session cookies, credentials, or sensitive data, perform actions on behalf of authenticated users, or redirect users to malicious sites.
Likely Case
Attackers inject malicious scripts to steal session cookies or credentials from users accessing the vulnerable application.
If Mitigated
With proper input validation and output encoding, the risk is limited to potential data leakage from unsanitized content display.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HCL Leap V12.0.1.2
Vendor Advisory: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0120722
Restart Required: Yes
Instructions:
1. Download HCL Leap V12.0.1.2 from HCL support portal. 2. Backup current installation. 3. Apply the update following HCL Leap upgrade procedures. 4. Restart the Leap server and verify functionality.
🔧 Temporary Workarounds
Disable HTML Widgets
allRemove or disable HTML widgets from deployed applications to eliminate the attack vector.
Implement Content Security Policy
allAdd strict Content-Security-Policy headers to limit script execution sources.
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads
- Enable input validation and output encoding for all user-controlled data in HTML widgets
🔍 How to Verify
Check if Vulnerable:
Check if using HCL Leap version earlier than V12.0.1.2 and if applications contain HTML widgets.Check Version:
Check Leap administration console or server logs for version informationVerify Fix Applied:
Verify HCL Leap version is V12.0.1.2 or later and test HTML widget functionality with test XSS payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual script tags or JavaScript in HTML widget inputs
- Multiple failed script injection attempts in logs
Network Indicators:
- HTTP requests containing script injection patterns to Leap endpoints
- Unexpected external script loads from Leap pages
SIEM Query:
source="leap_logs" AND ("<script" OR "javascript:" OR "onerror=" OR "onload=")