CVE-2024-50849
📋 TL;DR
A stored cross-site scripting vulnerability in WorldServer's Rules functionality allows authenticated attackers to inject malicious JavaScript that executes when other users view affected rules. This affects WorldServer v11.8.2 installations where authenticated users can create or modify rules. The vulnerability enables client-side code execution within the context of the victim's browser session.
💻 Affected Systems
- SDL WorldServer
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user could steal session cookies, perform actions as other users, redirect to phishing sites, or compromise administrative accounts if administrators view malicious rules.
Likely Case
Attackers with regular user accounts could steal session tokens from other users, perform unauthorized actions, or deface the application interface through injected content.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, and with least privilege access controls, the attack surface would be limited to fewer users.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist on GitHub. Exploitation requires authenticated access but is technically simple once authentication is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.trados.com/product/worldserver/
Restart Required: No
Instructions:
1. Check the vendor website for security updates. 2. Apply any available patches for WorldServer v11.8.2. 3. Verify the fix by testing the Rules functionality for XSS vulnerabilities.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd a Content Security Policy header to restrict script execution sources
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
Disable Rules Functionality
allTemporarily disable or restrict access to the Rules functionality if not essential
Configure application permissions to remove Rules access from non-admin users
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-supplied data in the Rules functionality
- Apply the principle of least privilege by restricting Rules access to only essential administrative users
🔍 How to Verify
Check if Vulnerable:
Test the Rules functionality by attempting to inject JavaScript payloads and observing if they execute when viewing the ruleCheck Version:
Check the WorldServer administration interface or configuration files for version informationVerify Fix Applied:
Retest the Rules functionality with the same XSS payloads to confirm they are properly sanitized and no longer execute📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript patterns in Rules content
- Multiple failed login attempts followed by Rules modifications
- Rules containing script tags or JavaScript event handlers
Network Indicators:
- HTTP requests to Rules endpoints with suspicious parameters
- Outbound connections to external domains from WorldServer users
SIEM Query:
source="worldserver" AND (event="rule_modified" OR event="rule_created") AND (data CONTAINS "<script>" OR data CONTAINS "javascript:")