CVE-2024-51380
📋 TL;DR
A stored Cross-Site Scripting (XSS) vulnerability in JATOS v3.9.3 allows attackers to inject malicious JavaScript into the UUID field of study properties. When an admin user views the properties, the script executes in their browser, potentially leading to account compromise and privilege escalation. This affects JATOS administrators who access study properties.
💻 Affected Systems
- JATOS
📦 What is this software?
Jatos by Jatos
⚠️ Risk & Real-World Impact
Worst Case
Admin account takeover leading to complete system compromise, data theft, or deployment of backdoors across the JATOS platform.
Likely Case
Session hijacking of admin accounts, unauthorized study modifications, or credential theft through phishing.
If Mitigated
Limited impact if admins use script-blocking browsers or have strict CSP policies, though XSS execution remains possible.
🎯 Exploit Status
Exploitation requires ability to modify study properties (typically authenticated users); public proof-of-concept exists in the Medium article reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch identified; monitor JATOS releases for updates and apply when available. Consider upgrading to latest version if it addresses this CVE.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to sanitize UUID field inputs, rejecting or encoding JavaScript content.
Not applicable - requires code changes
Content Security Policy (CSP)
allDeploy a strict CSP header to block inline scripts and restrict script sources, mitigating XSS impact.
Add CSP header in web server config, e.g., Content-Security-Policy: default-src 'self'; script-src 'self'
🧯 If You Can't Patch
- Restrict admin access to study properties to trusted users only and monitor for unusual activity.
- Use browser extensions or settings to disable JavaScript execution for the JATOS admin interface.
🔍 How to Verify
Check if Vulnerable:
Check JATOS version; if running v3.9.3, test by attempting to inject JavaScript into the UUID field of study properties and observe if it executes when viewed.Check Version:
Check JATOS interface or configuration files for version information; typically visible in web UI or via server logs.Verify Fix Applied:
After applying workarounds or updates, retest injection attempts to confirm JavaScript does not execute.📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to study properties, especially UUID fields with script-like content
- Admin session anomalies or unexpected access patterns
Network Indicators:
- HTTP requests containing JavaScript payloads in UUID parameters
- Unexpected outbound connections from admin browsers post-property view
SIEM Query:
source="jatos_logs" AND (message="*UUID*" AND message="*script*" OR message="*alert*" OR message="*javascript*")