CVE-2024-41504 – Jetimob Plataforma Imobiliaria 20240627-0 conta... (How to Fix)

Q: What is the severity of CVE-2024-41504?

CVE-2024-41504 has a CVSS score of 6.1 (MEDIUM). Jetimob Plataforma Imobiliaria 20240627-0 contains a stored cross-site scripting (XSS) vulnerability in the 'Descrico' field when creating or editing activities in the Opportunities section. This allows attackers to inject malicious JavaScript that executes in users' browsers when viewing affected content. All users of the vulnerable version are affected.

📋 TL;DR

Jetimob Plataforma Imobiliaria 20240627-0 contains a stored cross-site scripting (XSS) vulnerability in the 'Descrico' field when creating or editing activities in the Opportunities section. This allows attackers to inject malicious JavaScript that executes in users' browsers when viewing affected content. All users of the vulnerable version are affected.

💻 Affected Systems

Products:

Jetimob Plataforma Imobiliaria

Versions: 20240627-0

Operating Systems: All platforms running the web application

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the web interface; requires access to create/edit activities in Opportunities section.

📦 What is this software?

Imobiliaria by Jetimob

View all CVEs affecting Imobiliaria →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.

🟠

Likely Case

Session hijacking, credential theft, or defacement of application content through injected scripts.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to access the activity creation/edit functionality. Public proof-of-concept available on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://jetimob.com

Restart Required: No

Instructions:

No official patch available. Monitor vendor website for updates and apply when released.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize HTML/JavaScript in the Descrico field

Implement input sanitization in the activity creation/edit endpoint

Content Security Policy

all

Implement strict CSP headers to prevent execution of inline scripts

Add 'Content-Security-Policy: script-src 'self'' header to web server configuration

🧯 If You Can't Patch

Restrict access to activity creation/edit functionality to trusted users only
Implement web application firewall (WAF) rules to block XSS payloads in the Descrico parameter

🔍 How to Verify

Check if Vulnerable:

Test by creating an activity with JavaScript payload in Descrico field and verify if it executes when viewing

Check Version:

Check application version in admin panel or about page

Verify Fix Applied:

Test that JavaScript payloads in Descrico field are properly sanitized and do not execute

📡 Detection & Monitoring

Log Indicators:

Unusual activity creation/modification patterns
JavaScript code in activity description fields

Network Indicators:

HTTP requests with JavaScript payloads in Descrico parameter

SIEM Query:

source="web_logs" AND (descrico CONTAINS "<script>" OR descrico CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-41504

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: June 10, 2025

Last Updated: October 1, 2025

🔗 References

http://jetimob.com Product
https://github.com/rafaelbaldasso/CVE-2024-41504 Exploit,Third Party Advisory
https://github.com/rafaelbaldasso/CVE-2024-41504 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41504, you might also want to check these: