CVE-2025-50938
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Hustoj, an online judge system, affecting the thread.php page via the TID parameter. Attackers can inject malicious scripts that execute in victims' browsers when viewing compromised threads. This affects all Hustoj installations running the vulnerable 2025-01-31 version.
💻 Affected Systems
- Hustoj
📦 What is this software?
Hustoj by Hustoj
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface pages, or redirect users to malicious sites, potentially leading to account compromise and data theft.
Likely Case
Attackers would typically use this to steal session cookies or credentials, perform limited actions as the victim, or display malicious content to users.
If Mitigated
With proper input validation and output encoding, the impact would be limited to script execution in isolated contexts with minimal damage potential.
🎯 Exploit Status
Exploitation requires crafting malicious TID parameter values and likely requires user interaction to view compromised threads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub issue #1093 for latest patched version
Vendor Advisory: https://github.com/zhblue/hustoj/issues/1093
Restart Required: No
Instructions:
1. Check the GitHub issue #1093 for patch details. 2. Update to the latest Hustoj version. 3. Apply input validation and output encoding fixes to thread.php TID parameter handling.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to sanitize TID parameter values before processing
Implement proper input validation in thread.php to filter/escape TID parameter
Content Security Policy
allImplement CSP headers to restrict script execution sources
Add Content-Security-Policy header to restrict script sources
🧯 If You Can't Patch
- Implement WAF rules to block suspicious TID parameter patterns
- Disable or restrict access to thread.php functionality if not essential
🔍 How to Verify
Check if Vulnerable:
Test by injecting script payloads into TID parameter and checking if they execute when viewing threadsCheck Version:
Check Hustoj version information in admin panel or configuration filesVerify Fix Applied:
Verify that script payloads in TID parameter are properly sanitized and do not execute📡 Detection & Monitoring
Log Indicators:
- Unusual TID parameter values containing script tags or JavaScript in access logs
- Multiple failed attempts with malformed TID parameters
Network Indicators:
- HTTP requests to thread.php with suspicious TID parameter values
- Outbound connections to external domains from thread.php pages
SIEM Query:
source="web_logs" AND uri="*thread.php*" AND (query="*<script*" OR query="*javascript:*" OR query="*onload=*" OR query="*onerror=*")