CVE-2024-57278
📋 TL;DR
A reflected Cross-Site Scripting vulnerability in QingScan's web interface allows attackers to inject malicious JavaScript via crafted URLs. When victims click malicious links, attackers can steal session cookies, redirect users, or perform actions on their behalf. This affects all users of QingScan v1.8.0 and earlier versions.
💻 Affected Systems
- QingScan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of QingScan, pivot to internal networks, and compromise sensitive security scan data.
Likely Case
Attackers steal user session cookies, hijack authenticated sessions, and perform unauthorized actions within QingScan's interface.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching victim browsers.
🎯 Exploit Status
Exploitation requires victim interaction with crafted URL; no authentication needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.8.1 or later
Vendor Advisory: https://github.com/78778443/QingScan/issues/41
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download latest version from official repository. 3. Replace vulnerable files. 4. Restart QingScan service.
🔧 Temporary Workarounds
Web Application Firewall (WAF)
allDeploy WAF rules to block XSS payloads in query parameters
Input Validation Filter
linuxAdd input sanitization for query parameter before processing
sed -i "s/\$_GET\[\'query\'\]/htmlspecialchars(\$_GET\[\'query\'\], ENT_QUOTES)/g" /path/to/QingScan/webscan/sqlmap/index.html
🧯 If You Can't Patch
- Restrict access to QingScan web interface to trusted IP addresses only
- Implement Content Security Policy (CSP) headers to block inline script execution
🔍 How to Verify
Check if Vulnerable:
Access http://[qingscan-ip]/webscan/sqlmap/index.html?query=<script>alert('xss')</script> and check if script executesCheck Version:
grep 'version' /path/to/QingScan/README.md || cat /path/to/QingScan/VERSIONVerify Fix Applied:
Test same payload after patching; script should not execute and input should be properly encoded📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing <script> tags in query parameters
- Unusual length or encoding in query parameter values
Network Indicators:
- HTTP GET requests to /webscan/sqlmap/index.html with JavaScript payloads in query string
SIEM Query:
source="web_access.log" AND uri_path="/webscan/sqlmap/index.html" AND query="*<script>*"