CVE-2024-41514 – A reflected cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2024-41514?

CVE-2024-41514 has a CVSS score of 5.4 (MEDIUM). A reflected cross-site scripting (XSS) vulnerability in CADClick's PrevPgGroup.aspx page allows attackers to inject malicious scripts via the 'wer' parameter. This affects CADClick v1.11.0 and earlier versions, potentially compromising users who access specially crafted URLs.

📋 TL;DR

A reflected cross-site scripting (XSS) vulnerability in CADClick's PrevPgGroup.aspx page allows attackers to inject malicious scripts via the 'wer' parameter. This affects CADClick v1.11.0 and earlier versions, potentially compromising users who access specially crafted URLs.

💻 Affected Systems

Products:

CADClick

Versions: v1.11.0 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation of CADClick when the PrevPgGroup.aspx page is accessible.

📦 What is this software?

Cadclick by 4pace

View all CVEs affecting Cadclick →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, or perform actions on behalf of authenticated users, potentially leading to account takeover or data theft.

🟠

Likely Case

Attackers craft phishing emails with malicious links that execute scripts in victims' browsers, stealing session tokens or redirecting to credential harvesting pages.

🟢

If Mitigated

With proper input validation and output encoding, the vulnerability would be neutralized, preventing script execution even with malicious input.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Reflected XSS vulnerabilities are typically easy to exploit with basic web knowledge. No authentication required to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://cadclick.de/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If patch available, download and install. 3. Verify fix by testing the vulnerable parameter.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the 'wer' parameter before processing.

Implement regex filtering: ^[a-zA-Z0-9_-]+$ for the wer parameter

Output Encoding

all

Apply proper HTML encoding to all user-controlled output in the PrevPgGroup.aspx page.

Use HTML encoding functions: Server.HtmlEncode(wer) in ASP.NET

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Restrict access to the vulnerable page using network segmentation or authentication

🔍 How to Verify

Check if Vulnerable:

Access PrevPgGroup.aspx?wer=<script>alert('XSS')</script> and check if script executes

Check Version:

Check CADClick version in application interface or configuration files

Verify Fix Applied:

Test the same payload after applying fixes - script should not execute and should be displayed as plain text

📡 Detection & Monitoring

Log Indicators:

HTTP requests to PrevPgGroup.aspx with script tags or encoded payloads in wer parameter
Unusual length or character patterns in wer parameter values

Network Indicators:

HTTP requests containing <script> tags in URL parameters
Requests to PrevPgGroup.aspx with suspicious parameter values

SIEM Query:

source="web_logs" AND uri="*PrevPgGroup.aspx*" AND (query="*<script>*" OR query="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-41514

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: October 4, 2024

Last Updated: June 2, 2025

🔗 References

http://cadclick.de/ Product
http://kimweb.de/ Product
https://piuswalter.de/blog/multiple-critical-vulnerabilities-in-cadclick/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41514, you might also want to check these: