CVE-2024-51382
📋 TL;DR
This CSRF vulnerability in JATOS v3.9.3 allows attackers to trick administrators into unknowingly resetting their passwords, leading to complete account takeover. Any JATOS installation running the vulnerable version is affected, particularly those exposed to the internet or used in multi-user environments.
💻 Affected Systems
- JATOS (Just Another Tool for Online Studies)
📦 What is this software?
Jatos by Jatos
⚠️ Risk & Real-World Impact
Worst Case
Complete administrative account takeover leading to full system compromise, data theft, service disruption, and potential lateral movement to connected systems.
Likely Case
Administrator account hijacking allowing attackers to modify experiments, access sensitive research data, and potentially deploy malicious code.
If Mitigated
Limited impact with proper CSRF protections and network segmentation, though some risk remains if administrators access malicious content.
🎯 Exploit Status
Exploitation requires the administrator to be tricked into visiting a malicious webpage while authenticated to JATOS. The Medium article provides technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.9.4 or later
Vendor Advisory: https://github.com/JATOS/JATOS/releases
Restart Required: Yes
Instructions:
1. Backup your JATOS data and configuration. 2. Download JATOS v3.9.4 or later from GitHub releases. 3. Stop the JATOS service. 4. Replace the JATOS installation with the new version. 5. Restart the JATOS service. 6. Verify the version is updated.
🔧 Temporary Workarounds
CSRF Token Implementation
allManually add CSRF tokens to password reset forms if patching isn't immediately possible
Network Segmentation
allRestrict JATOS admin interface to internal networks only
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and Content Security Policy headers
- Require administrators to use separate browser profiles or incognito mode for JATOS access
🔍 How to Verify
Check if Vulnerable:
Check JATOS version via web interface or by examining the installation directory. If version is exactly 3.9.3, it's vulnerable.Check Version:
Check JATOS web interface footer or examine jatos_version.txt in installation directoryVerify Fix Applied:
After patching, verify version shows 3.9.4 or later. Test password reset functionality with CSRF testing tools.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful password reset
- Password reset requests from unusual IP addresses or user agents
Network Indicators:
- HTTP POST requests to /jatos/admin/passwordReset without proper referrer headers
- Unusual traffic patterns to admin endpoints
SIEM Query:
source="jatos.log" AND ("passwordReset" OR "admin") AND status=200