Login Sign Up

CVE-2024-51322

5.4 MEDIUM
Remote Code Execution Cross-Site Scripting

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 2.4 allows authenticated attackers to inject malicious scripts through multiple web components. If exploited, it can lead to remote code execution, potentially compromising the entire system. Organizations using Zucchetti Ad Hoc Infinity 2.4 are affected.

💻 Affected Systems

Products:
  • Zucchetti Ad Hoc Infinity
Versions: 2.4
Operating Systems: All platforms running the software
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to exploit. Multiple vulnerable endpoints identified.

📦 What is this software?

Ad Hoc Infinity by Zucchetti

View all CVEs affecting Ad Hoc Infinity →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, data theft, and complete control over affected systems.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized access to sensitive data through XSS payloads.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and security controls in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but uses standard XSS techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Contact Zucchetti for security updates and apply input validation/output encoding fixes.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Implement strict input validation and proper output encoding for all user inputs in affected components.

Web Application Firewall Rules

all

Deploy WAF rules to block XSS payloads targeting /jsp/home.jsp, /jsp/gsfr_feditorHTML.jsp, /servlet/SPVisualZoom, and /jsp/gsmd_container.jsp.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
  • Restrict access to vulnerable endpoints using network segmentation and authentication controls

🔍 How to Verify

Check if Vulnerable:

Test for XSS vulnerabilities in /jsp/home.jsp, /jsp/gsfr_feditorHTML.jsp, /servlet/SPVisualZoom, and /jsp/gsmd_container.jsp endpoints using authenticated access.

Check Version:

Check application version through admin interface or configuration files.

Verify Fix Applied:

Verify that input validation and output encoding prevent script injection in all affected components.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST/GET requests to vulnerable endpoints with script-like payloads
  • Multiple failed authentication attempts followed by successful login and XSS payloads

Network Indicators:

  • HTTP requests containing script tags or JavaScript payloads to affected endpoints
  • Unusual outbound connections from the application server

SIEM Query:

source="web_server" AND (uri="/jsp/home.jsp" OR uri="/jsp/gsfr_feditorHTML.jsp" OR uri="/servlet/SPVisualZoom" OR uri="/jsp/gsmd_container.jsp") AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-51322
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.19% exploit probability (40.5th percentile)
Published: March 11, 2025
Last Updated: June 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51322, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)