CVE-2024-42904 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-42904?

CVE-2024-42904 has a CVSS score of 6.1 (MEDIUM). This cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to inject malicious scripts into the client name parameter, which could execute arbitrary JavaScript in users' browsers. It affects all SysPass 3.2.x installations with the vulnerable ClientController.php file. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows attackers to inject malicious scripts into the client name parameter, which could execute arbitrary JavaScript in users' browsers. It affects all SysPass 3.2.x installations with the vulnerable ClientController.php file. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

SysPass

Versions: 3.2.x

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations running vulnerable SysPass 3.2.x versions are affected regardless of configuration.

📦 What is this software?

Syspass by Syspass

View all CVEs affecting Syspass →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the password manager, exfiltrate all stored credentials, and compromise the entire credential management system.

🟠

Likely Case

Attackers steal user session cookies, access sensitive passwords they're authorized to view, and potentially pivot to other systems using stolen credentials.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized, preventing execution and limiting impact to failed injection attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but is straightforward once authenticated. Public proof-of-concept demonstrates the injection technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check SysPass repository for latest version

Vendor Advisory: https://github.com/nuxsmin/sysPass/security/advisories

Restart Required: No

Instructions:

1. Backup your SysPass installation and database. 2. Update to the latest SysPass version from the official repository. 3. Verify the ClientController.php file has proper input validation and output encoding. 4. Clear browser caches and test functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to sanitize the name parameter before processing

Modify /Controllers/ClientController.php to include htmlspecialchars() or similar sanitization on line 89

Web Application Firewall Rule

all

Block malicious script patterns in the name parameter

Add WAF rule to detect and block script tags, JavaScript events, and other XSS patterns in POST requests to ClientController.php

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
Disable or restrict access to the vulnerable ClientController.php endpoint using web server configuration or authentication middleware

🔍 How to Verify

Check if Vulnerable:

Check if your SysPass version is 3.2.x and examine /Controllers/ClientController.php line 89 for missing input sanitization

Check Version:

Check SysPass version in web interface or examine version files in installation directory

Verify Fix Applied:

Test by attempting to inject basic XSS payloads into the client name field and verify they are properly encoded or rejected

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to ClientController.php with script-like content in parameters
Multiple failed login attempts followed by successful authentication and parameter manipulation

Network Indicators:

HTTP requests containing script tags, JavaScript functions, or encoded payloads in the name parameter
Outbound connections to suspicious domains following successful authentication

SIEM Query:

source="web_server_logs" AND (uri="/Controllers/ClientController.php" AND (param_name="name" AND param_value MATCHES "(?i)(script|javascript|onload|onerror)"))

📊 Metadata

CVE ID: CVE-2024-42904

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: September 3, 2024

Last Updated: March 13, 2025

🔗 References

https://github.com/nuxsmin/sysPass/blob/9d0e169d2163897238877fb65130db47fe1ddcfa/app/modules/api/Controllers/ClientController.php#L89 Issue Tracking
https://github.com/nuxsmin/sysPass/blob/master/lib/SP/DataModel/ClientData.php#L98 Issue Tracking
https://github.com/sysentr0py/CVEs/tree/main/CVE-2024-42904 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42904, you might also want to check these: