CVE-2024-51423
📋 TL;DR
This is a reflected Cross-Site Scripting (XSS) vulnerability in Infor Global HR GHR that allows attackers to inject malicious scripts via the class parameter. When exploited, it can lead to session hijacking, credential theft, or redirection to malicious sites. Organizations using Infor Global HR GHR versions 11.23.03.00.21 and earlier are affected.
💻 Affected Systems
- Infor Global HR GHR
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator credentials, takes over HR system, accesses sensitive employee data (SSNs, salaries, performance reviews), and potentially pivots to other corporate systems.
Likely Case
Attacker steals user session cookies to impersonate legitimate users, accesses HR data they shouldn't have access to, or redirects users to phishing sites.
If Mitigated
Script execution is blocked by browser security features or WAF, resulting in no impact beyond failed attack attempts.
🎯 Exploit Status
Exploitation requires the attacker to trick a user into clicking a specially crafted link. The vulnerability is in the class parameter, suggesting it's a reflected XSS that requires user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 11.23.03.00.21
Vendor Advisory: https://docs.offsecguy.com/cve/infor/vulnerability/reflected-xss
Restart Required: No
Instructions:
1. Contact Infor support for the latest patched version. 2. Apply the patch following Infor's deployment procedures. 3. Test the application functionality after patching.
🔧 Temporary Workarounds
Implement Web Application Firewall (WAF)
allConfigure WAF rules to block malicious class parameter payloads and XSS patterns
Content Security Policy (CSP)
allImplement strict CSP headers to prevent script execution from untrusted sources
🧯 If You Can't Patch
- Implement input validation and output encoding for the class parameter at the application layer
- Restrict access to the HR system using network segmentation and require VPN for remote access
🔍 How to Verify
Check if Vulnerable:
Test by injecting a simple XSS payload in the class parameter (e.g., <script>alert('test')</script>) and checking if it executesCheck Version:
Check the application version in the admin interface or via Infor's version reporting toolsVerify Fix Applied:
After patching, repeat the XSS test to confirm the payload is properly sanitized or blocked📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing suspicious script tags or JavaScript in class parameter
- Multiple failed login attempts following suspicious URLs
Network Indicators:
- Unusual outbound connections from HR system to external domains
- Traffic patterns showing users being redirected to unexpected URLs
SIEM Query:
source="web_server_logs" AND (uri CONTAINS "class=" AND (uri CONTAINS "<script>" OR uri CONTAINS "javascript:"))