CVE-2024-48535 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-48535?

CVE-2024-48535 has a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in eSoft Planner allows attackers to inject malicious scripts into the Name parameter, which are then executed when other users view the affected content. This affects all users of eSoft Planner 3.24.08271-USA who can access the vulnerable interface.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in eSoft Planner allows attackers to inject malicious scripts into the Name parameter, which are then executed when other users view the affected content. This affects all users of eSoft Planner 3.24.08271-USA who can access the vulnerable interface.

💻 Affected Systems

Products:

eSoft Planner

Versions: 3.24.08271-USA

Operating Systems: Any OS running eSoft Planner

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of this specific version are vulnerable unless custom security controls have been implemented.

📦 What is this software?

Esoft Planner by Esoftplanner

View all CVEs affecting Esoft Planner →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or install malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface through injected content.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, though some functionality disruption may occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the vulnerable Name parameter field, which typically requires some level of authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates or apply workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the Name parameter by removing or encoding HTML/JavaScript special characters.

Content Security Policy

all

Implement a strict Content Security Policy header to prevent execution of inline scripts and restrict script sources.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads in the Name parameter
Disable or restrict access to the vulnerable interface until a fix is available

🔍 How to Verify

Check if Vulnerable:

Test by entering a basic XSS payload like <script>alert('XSS')</script> into the Name parameter and check if it executes when viewed.

Check Version:

Check application version in admin interface or configuration files

Verify Fix Applied:

After implementing controls, test with the same payload to ensure it's properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual characters or script tags in Name parameter logs
Multiple failed input validation attempts

Network Indicators:

HTTP requests containing script tags or JavaScript in Name parameter

SIEM Query:

web_requests WHERE url_parameters CONTAINS '<script>' OR url_parameters CONTAINS 'javascript:'

📊 Metadata

CVE ID: CVE-2024-48535

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: November 20, 2024

Last Updated: October 1, 2025

🔗 References

https://github.com/esoft-planner-cve/esoft_planner_cve Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48535, you might also want to check these: