Login Sign Up

CVE-2024-37392

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored XSS vulnerability in SMSEagle software allows attackers to inject malicious JavaScript into SMS messages. When viewed in the web interface, this code executes in the victim's browser. This affects all SMSEagle installations running versions below 6.0.

💻 Affected Systems

Products:
  • SMSEagle
Versions: All versions < 6.0
Operating Systems: SMSEagle's custom Linux-based OS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the web-GUI interface when viewing SMS messages. SMS functionality itself remains operational.

📦 What is this software?

Smseagle by Smseagle

View all CVEs affecting Smseagle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker could steal administrator credentials, hijack sessions, install backdoors, or pivot to internal networks if the SMSEagle device has network access.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the SMSEagle web interface.

🟢

If Mitigated

Limited to interface manipulation without network access if proper network segmentation exists.

🌐 Internet-Facing: HIGH if SMSEagle web interface is exposed to internet, as attackers can directly target it.
🏢 Internal Only: MEDIUM as attackers would need internal network access first, but once inside could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires sending a malicious SMS to the device, which then must be viewed in the web interface. No authentication bypass needed for the XSS execution itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.0

Vendor Advisory: https://www.smseagle.eu/security-advisory/resolved-xss-in-smseagle-software-cve-2024-37392/

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download SMSEagle version 6.0 from official vendor. 3. Upload firmware via web interface. 4. Apply update. 5. Reboot device.

🔧 Temporary Workarounds

Input Sanitization Filter

all

Implement custom input validation to strip script tags from SMS messages before display

Not applicable - requires code modification

Content Security Policy

all

Implement CSP headers to restrict script execution

Add 'Content-Security-Policy: script-src 'self'' to web server configuration

🧯 If You Can't Patch

  • Restrict web interface access to trusted IP addresses only
  • Disable SMS inbox viewing functionality in web interface if not required

🔍 How to Verify

Check if Vulnerable:

Check SMSEagle version via web interface: System > About. If version is below 6.0, system is vulnerable.

Check Version:

Not applicable - version check done via web interface

Verify Fix Applied:

After updating to version 6.0, verify version in System > About shows 6.0 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SMS messages containing script tags or JavaScript code
  • Multiple failed login attempts after SMS viewing

Network Indicators:

  • Outbound connections from SMSEagle device to unexpected external IPs
  • Unusual HTTP requests from SMSEagle web interface

SIEM Query:

source="smseagle" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-37392
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: August 23, 2024
Last Updated: March 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37392, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)