CVE-2024-37675
📋 TL;DR
This CVE describes a Cross-Site Scripting (XSS) vulnerability in Tessi Docubase Document Management product 5.x. It allows remote attackers to inject malicious scripts via the 'sectionContent' parameter when adding notes to uploaded files, potentially compromising user sessions. Organizations using Docubase 5.x are affected.
💻 Affected Systems
- Tessi Docubase Document Management
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to data theft or system compromise.
Likely Case
Attackers inject malicious scripts to steal session cookies or credentials from authenticated users, enabling unauthorized access to the document management system.
If Mitigated
With proper input validation and output encoding, the vulnerability is prevented, and user sessions remain secure.
🎯 Exploit Status
Exploitation requires user interaction (e.g., clicking a malicious link) and authenticated access to the note-adding feature; public proof-of-concept is available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
Check vendor website (http://tessi.com or http://docubase.com) for security updates or patches; apply any available fixes as per vendor instructions.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization for the 'sectionContent' parameter to strip or encode malicious scripts.
Not applicable; requires code changes
Web Application Firewall (WAF) Rules
allDeploy WAF rules to block XSS payloads targeting the 'sectionContent' parameter.
Not applicable; configure WAF settings
🧯 If You Can't Patch
- Restrict access to the note-adding functionality to trusted users only.
- Monitor logs for suspicious activity related to the 'sectionContent' parameter.
🔍 How to Verify
Check if Vulnerable:
Test by injecting a script payload (e.g., <script>alert('XSS')</script>) into the 'sectionContent' parameter when adding a note to an uploaded file; if the script executes, the system is vulnerable.Check Version:
Check the Docubase version via the application interface or configuration files; command varies by deployment.Verify Fix Applied:
After applying fixes, repeat the test; the script should be sanitized or blocked, and no execution should occur.📡 Detection & Monitoring
Log Indicators:
- Log entries showing script tags or unusual strings in 'sectionContent' parameter values
- Failed login attempts or unusual user activity following note additions
Network Indicators:
- HTTP requests with script payloads in the 'sectionContent' parameter
- Outbound connections to suspicious domains triggered by note actions
SIEM Query:
Example: search 'sectionContent' AND ('script' OR 'javascript' OR 'onload') in web server logs