CVE-2024-54775
📋 TL;DR
Dcat-Admin v2.2.0-beta and v2.2.2-beta contain a Cross-Site Scripting (XSS) vulnerability in the /admin/auth/menu and /admin/auth/extensions endpoints. This allows attackers to inject malicious scripts that execute in users' browsers when they access these admin pages. Administrators and users with access to the admin interface are affected.
💻 Affected Systems
- Dcat-Admin
📦 What is this software?
Dcat Admin by Dcatadmin
Dcat Admin by Dcatadmin
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers inject malicious scripts to steal session cookies or credentials from administrators, leading to unauthorized access to the admin panel.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution.
🎯 Exploit Status
Exploitation requires access to the admin interface endpoints. The GitHub issue shows proof-of-concept details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check for updates beyond v2.2.2-beta
Vendor Advisory: https://github.com/taynes-llllzt/taynes/issues/5
Restart Required: No
Instructions:
1. Update Dcat-Admin to the latest version that addresses this vulnerability. 2. Verify the fix by checking the changelog or vendor advisory. 3. No restart required for typical PHP applications, but clear caches if applicable.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side input validation and output encoding for the affected endpoints to sanitize user inputs.
Modify PHP code in /admin/auth/menu and /admin/auth/extensions to use htmlspecialchars() or similar functions on output.
Restrict Admin Access
linuxLimit access to the admin interface using IP whitelisting or VPN to reduce attack surface.
Configure web server (e.g., Apache .htaccess or Nginx config) to allow only specific IPs to /admin paths.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads.
- Disable or restrict the /admin/auth/menu and /admin/auth/extensions endpoints if not in use.
🔍 How to Verify
Check if Vulnerable:
Access the /admin/auth/menu or /admin/auth/extensions endpoint and attempt to inject a simple XSS payload like <script>alert('test')</script> to see if it executes.Check Version:
Check the Dcat-Admin version in the application's configuration or via composer show if using Composer: composer show dcat-adminVerify Fix Applied:
After patching, test the same endpoints with XSS payloads to ensure they are properly sanitized and no script execution occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual POST or GET requests to /admin/auth/menu or /admin/auth/extensions with script tags or encoded payloads in parameters.
- Admin session cookies being accessed from unexpected IP addresses.
Network Indicators:
- HTTP traffic to admin endpoints containing JavaScript or HTML injection patterns.
SIEM Query:
source="web_logs" AND (url_path="/admin/auth/menu" OR url_path="/admin/auth/extensions") AND (query_string CONTAINS "<script>" OR query_string CONTAINS "javascript:")