CVE-2024-35321 – MyNET up to v26.08 contains a reflected cross-s... (How to Fix)

Q: What is the severity of CVE-2024-35321?

CVE-2024-35321 has a CVSS score of 4.3 (MEDIUM). MyNET up to v26.08 contains a reflected cross-site scripting (XSS) vulnerability in the msgtipo parameter. This allows attackers to inject malicious scripts that execute in victims' browsers when they visit specially crafted URLs. Organizations using MyNET versions up to v26.08 are affected.

📋 TL;DR

MyNET up to v26.08 contains a reflected cross-site scripting (XSS) vulnerability in the msgtipo parameter. This allows attackers to inject malicious scripts that execute in victims' browsers when they visit specially crafted URLs. Organizations using MyNET versions up to v26.08 are affected.

💻 Affected Systems

Products:

MyNET

Versions: Up to and including v26.08

Operating Systems: All supported OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the msgtipo parameter handling; all deployments using affected versions are vulnerable.

📦 What is this software?

Mynet by Airc

View all CVEs affecting Mynet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of web pages through script injection.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS typically requires user interaction (clicking malicious link) but is easy to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v26.09 or later

Vendor Advisory: https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN

Restart Required: Yes

Instructions:

1. Download latest MyNET version from vendor. 2. Backup current installation. 3. Apply patch/upgrade to v26.09+. 4. Restart MyNET services. 5. Verify fix.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to sanitize msgtipo parameter input.

# Add input validation in application code for msgtipo parameter

Web Application Firewall (WAF)

all

Deploy WAF rules to block XSS payloads in msgtipo parameter.

# Configure WAF to filter <script> tags and JavaScript in msgtipo

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to limit script execution.
Use network segmentation to isolate MyNET from critical systems and limit access.

🔍 How to Verify

Check if Vulnerable:

Test by injecting <script>alert('XSS')</script> into msgtipo parameter and checking if script executes.

Check Version:

Check MyNET admin interface or configuration files for version number.

Verify Fix Applied:

After patching, repeat XSS test; script should not execute and input should be properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual msgtipo parameter values containing script tags or JavaScript code in web logs.

Network Indicators:

HTTP requests with msgtipo parameter containing suspicious payloads.

SIEM Query:

web_logs msgtipo CONTAINS "<script>" OR "javascript:"

📊 Metadata

CVE ID: CVE-2024-35321

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.1th percentile)

Published: December 22, 2025

Last Updated: January 5, 2026

🔗 References

https://github.com/Manuel-arc/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md Third Party Advisory,Exploit
https://github.com/am0nt31r0/Common-Vulnerabilities-and-Exposures-CVE-/blob/main/MyNet.md Exploit,Third Party Advisory
https://www.airc.pt/solucoes-servicos/solucoes?segment=MYN Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35321, you might also want to check these: