CVE-2024-51492
📋 TL;DR
CVE-2024-51492 is a cross-site scripting (XSS) vulnerability in Zusam self-hosted forum software that allows attackers to execute arbitrary JavaScript via malicious SVG image uploads. This can lead to session token theft since Zusam uses static API keys as long-lived session tokens. All Zusam instances prior to version 0.5.6 are affected.
💻 Affected Systems
- Zusam
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover via session token theft, leading to unauthorized access to private forums, data exfiltration, and potential privilege escalation.
Likely Case
Session hijacking allowing attackers to impersonate users, access private conversations, and potentially modify forum content.
If Mitigated
Limited impact with proper input validation and content security policies in place, though risk remains if SVG uploads are allowed.
🎯 Exploit Status
Exploitation requires uploading a malicious SVG file, which can be done by any authenticated user. Public proof-of-concept exists in the advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.5.6
Vendor Advisory: https://github.com/zusam/zusam/security/advisories/GHSA-96fx-5rqv-jfxh
Restart Required: Yes
Instructions:
1. Backup your Zusam instance. 2. Update to version 0.5.6 via git pull or download from releases. 3. Restart the Zusam service. 4. Verify the fix by checking version.
🔧 Temporary Workarounds
Disable SVG uploads
allConfigure Zusam to reject SVG file uploads entirely
Modify Zusam configuration to exclude 'image/svg+xml' from allowed MIME types
Implement Content Security Policy
allAdd CSP headers to prevent script execution from uploaded content
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Immediately disable image upload functionality in Zusam configuration
- Implement web application firewall rules to block SVG files and monitor for XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check if Zusam version is below 0.5.6 and if SVG uploads are enabledCheck Version:
Check Zusam admin interface or version file in installation directoryVerify Fix Applied:
Confirm version is 0.5.6 or higher and test that SVG files with script tags are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads
- Multiple failed login attempts from new locations
- API key usage from unexpected IP addresses
Network Indicators:
- HTTP requests containing SVG files with script tags
- Outbound connections to suspicious domains after image upload
SIEM Query:
source="zusam_logs" AND (file_type="svg" OR mime_type="image/svg+xml")