CVE-2024-55918
📋 TL;DR
This vulnerability in Graphics::ColorNames Perl package allows HTML injection when an attacker can place a malicious file in the current working directory. The ambiguity between module names and filenames enables attackers to inject arbitrary HTML content. This affects Perl applications using Graphics::ColorNames versions before 3.2.0.
💻 Affected Systems
- Graphics::ColorNames Perl module
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete HTML injection leading to cross-site scripting (XSS), session hijacking, or credential theft if the injected content is rendered in a web context.
Likely Case
Limited HTML injection affecting specific functionality that uses color name lookups, potentially causing content manipulation or minor data integrity issues.
If Mitigated
No impact if proper file permissions prevent unauthorized file creation in working directories or if input validation/sanitization is implemented.
🎯 Exploit Status
Exploitation requires the ability to create files in the working directory of the vulnerable application, which typically requires some level of access or another vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.0
Vendor Advisory: https://metacpan.org/dist/Graphics-ColorNames
Restart Required: No
Instructions:
1. Update Graphics::ColorNames using CPAN: 'cpan Graphics::ColorNames'
2. Or install specific version: 'cpan Graphics::ColorNames@3.2.0'
3. Verify installation with: 'perl -MGraphics::ColorNames -e "print $Graphics::ColorNames::VERSION"'
🔧 Temporary Workarounds
Restrict file permissions
linuxPrevent unauthorized file creation in application working directories
chmod 750 /path/to/working/directory
chown root:appuser /path/to/working/directory
Use absolute module paths
allModify code to use absolute paths for module loading instead of relying on current directory
🧯 If You Can't Patch
- Implement strict file permission controls on application working directories
- Add input validation and output encoding for any content that uses Graphics::ColorNames lookups
🔍 How to Verify
Check if Vulnerable:
Check installed version: 'perl -MGraphics::ColorNames -e "print $Graphics::ColorNames::VERSION"'Check Version:
perl -MGraphics::ColorNames -e "print $Graphics::ColorNames::VERSION"Verify Fix Applied:
Confirm version is 3.2.0 or higher using the same command📡 Detection & Monitoring
Log Indicators:
- Unexpected file creation in application directories
- Errors from Graphics::ColorNames module loading
Network Indicators:
- Unusual file upload patterns to application directories
SIEM Query:
source="application.log" AND "Graphics::ColorNames" AND ("error" OR "warning")