CVE-2024-49708
📋 TL;DR
This stored XSS vulnerability in SoftCOM iKSORIS Internet Starter module allows attackers to inject malicious scripts into delivery address forms. When users view these forms, the scripts execute in their browser context, potentially stealing session cookies or performing unauthorized actions. Organizations using vulnerable versions of iKSORIS systems are affected.
💻 Affected Systems
- SoftCOM iKSORIS Internet Starter module
📦 What is this software?
Iksoris by Softcom.wroc
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Session hijacking, credential theft, or unauthorized actions performed in users' contexts, particularly affecting customers using the delivery address functionality.
If Mitigated
Limited impact with proper input validation and output encoding, though stored XSS remains a persistent threat until patched.
🎯 Exploit Status
Exploitation requires user interaction with malicious forms, but XSS payloads are well-documented and easy to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 79.0
Vendor Advisory: https://www.iksoris.pl/system-rezerwacji-i-sprzedazy-biletow-iksoris.html
Restart Required: Yes
Instructions:
1. Download version 79.0 or later from SoftCOM vendor
2. Backup current installation and data
3. Apply the update following vendor instructions
4. Restart the iKSORIS application/services
5. Verify the update was successful
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize delivery address form inputs
Implement regex filtering for special characters in form handlers
Content Security Policy
allDeploy CSP headers to restrict script execution
Add 'Content-Security-Policy' header with script-src directives
🧯 If You Can't Patch
- Implement WAF rules to block XSS payloads in form submissions
- Disable or restrict access to the delivery address functionality if not critical
🔍 How to Verify
Check if Vulnerable:
Check iKSORIS version in admin panel or configuration files, verify if version is below 79.0Check Version:
Check admin dashboard or configuration files for version informationVerify Fix Applied:
Confirm version is 79.0 or higher in system settings, test delivery address forms with basic XSS payloads to ensure they're sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual form submissions with script tags or JavaScript code
- Multiple failed validation attempts on delivery address forms
- User complaints about unexpected page behavior
Network Indicators:
- HTTP requests containing script tags in form parameters
- Unusual outbound connections from the iKSORIS application
SIEM Query:
source="iKSORIS_logs" AND (form_submission="delivery_address" AND (message="*<script>*" OR message="*javascript:*"))