CVE-2024-45799
📋 TL;DR
CVE-2024-45799 is a cross-site scripting (XSS) vulnerability in FluxCP that allows attackers to inject malicious JavaScript via shop names and vendor/buyer list pages. This enables session hijacking of logged-in users by executing arbitrary code in their browsers. All users running vulnerable versions of FluxCP are affected.
💻 Affected Systems
- FluxCP
📦 What is this software?
Fluxcp by Rathena
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts through session theft, leading to unauthorized administrative access, data exfiltration, and potential server takeover.
Likely Case
Attackers steal session cookies to impersonate users, access sensitive account information, and perform unauthorized actions within the control panel.
If Mitigated
Limited impact with proper network segmentation and user awareness, but still potential for credential theft if users access malicious shop pages.
🎯 Exploit Status
Exploitation requires users to visit malicious shop pages, but no authentication is needed to create the malicious content. Simple JavaScript injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3
Vendor Advisory: https://github.com/rathena/FluxCP/security/advisories/GHSA-xvqv-25vf-88g4
Restart Required: No
Instructions:
1. Backup current installation. 2. Download FluxCP version 1.3 from official repository. 3. Replace vulnerable files with patched version. 4. Verify shop/vendor pages no longer accept unsanitized JavaScript.
🔧 Temporary Workarounds
No official workarounds
allVendor states no known workarounds exist. Input sanitization must be implemented in code.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
- Disable shop/vendor list functionality or restrict access to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check if shop names or vendor/buyer lists accept JavaScript input like <script>alert('test')</script> without sanitization.Check Version:
Check FluxCP version in admin panel or review source code for version markers.Verify Fix Applied:
Test that JavaScript injection attempts in shop names and vendor/buyer lists are properly sanitized or rejected in version 1.3.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript patterns in shop name inputs
- Multiple failed login attempts from new locations after visiting shop pages
Network Indicators:
- Outbound connections to suspicious domains from user browsers after accessing shop pages
SIEM Query:
web_logs WHERE url CONTAINS '/shop/' AND (request_body CONTAINS '<script>' OR request_body CONTAINS 'javascript:')