Platform
java
Component
alf.io
Fixed in
2.0.1
CVE-2024-25627 describes a Cross-Site Scripting (XSS) vulnerability affecting Alf.io, a free and open-source event attendance management system. An attacker gaining administrative privileges can upload malicious HTML files containing JavaScript payloads, leading to potential session hijacking or defacement. This vulnerability impacts versions of Alf.io up to and including 2.0-M4-2401, and a fix is available in version 2.0-M4-2402.
The primary impact of CVE-2024-25627 stems from the ability of an attacker to inject and execute arbitrary JavaScript code within the Alf.io application. This can be achieved by exploiting the vulnerability to upload HTML files containing malicious scripts. Successful exploitation allows an attacker to steal user session cookies, potentially gaining unauthorized access to user accounts and performing actions on their behalf. Furthermore, the attacker could deface the application, redirect users to malicious websites, or inject further malicious content. The blast radius is limited to users interacting with the affected Alf.io instance, and the attacker requires administrative access to initiate the attack.
CVE-2024-25627 has been publicly disclosed and is not currently listed on the CISA KEV catalog. No public proof-of-concept (POC) code has been identified at the time of writing. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.56% (68% percentile)
CVSS Vector
The recommended mitigation for CVE-2024-25627 is to immediately upgrade Alf.io to version 2.0-M4-2402 or later. Since no workarounds are provided by the vendor, upgrading is the only viable solution. Before upgrading, it is advisable to back up the Alf.io database and configuration files to facilitate a rollback if necessary. After the upgrade, verify the fix by attempting to upload an HTML file containing a simple JavaScript alert payload through the administrative interface. The payload should be blocked or sanitized, confirming the vulnerability has been addressed.
Upgrade Alf.io to version 2.0-M4-2402 or later. This version fixes the Cross-Site Scripting (XSS) vulnerability that allows the execution of malicious JavaScript code through HTML file uploads. The upgrade prevents attackers with administrative access from exploiting this vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-25627 is a Cross-Site Scripting (XSS) vulnerability in Alf.io versions up to 2.0-M4-2401, allowing an administrator to inject malicious JavaScript code.
You are affected if you are using Alf.io version 2.0-M4-2401 or earlier. Upgrade to 2.0-M4-2402 to mitigate the risk.
The fix is to upgrade Alf.io to version 2.0-M4-2402 or later. There are no known workarounds.
There is no confirmed active exploitation of CVE-2024-25627 at this time, but the vulnerability is publicly known.
Refer to the official Alf.io security advisory for details and updates: [https://www.alf.io/security/advisories](https://www.alf.io/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.