CVE-2024-52286
Improper Input Validation (CWE-20)
Summary
Stirling-PDF, a locally hosted web application for PDF operations, has a vulnerability in its Merge functionality. The issue is in the file 'src/main/resources/static/js/merge.js' starting at Line 24, where user-supplied file names are directly input into innerHTML without sanitization. This allows malicious users to upload files with names containing HTML tags, potentially including JavaScript code, which can then be executed in the context of the user.
Impact
This vulnerability enables a self-injection style attack where a user could be tricked into uploading a maliciously named file, leading to the execution of arbitrary JavaScript code in their browser. While the impact is limited to the user who uploads the file and doesn't affect other users directly, it breaks the expected security restrictions of the application. The potential impacts include: 1. Phishing attacks: Users could be social engineered into running malicious code, potentially leading to credential theft or further system compromise. 2. Data exfiltration: Executed JavaScript could access and transmit sensitive information from the user's session. 3. Client-side malware execution: The injected code could potentially download and execute additional malware on the user's system. 4. Session hijacking: An attacker could potentially steal or manipulate the user's session data.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been addressed in version 0.32.0 of Stirling-PDF. All users are advised to upgrade to this version or later to mitigate the risk.
Mitigation
The following mitigation steps are recommended: 1. Upgrade immediately: Update Stirling-PDF to version 0.32.0 or later, which addresses this vulnerability. 2. Input Validation: Implement strict input validation for file names, rejecting or sanitizing any input containing HTML or JavaScript code. 3. Content Security Policy: Implement a strong Content Security Policy to prevent the execution of inline scripts. 4. User Education: Inform users about the risks of uploading files from untrusted sources and the importance of verifying file names. 5. Regular Security Audits: Conduct regular code reviews and security audits to identify similar vulnerabilities in other parts of the application. There are no known workarounds for this vulnerability other than upgrading to the patched version.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
NVD published the first details for CVE-2024-52286
A CVSS base score of 2 has been assigned.
Feedly found the first article mentioning CVE-2024-52286. See article
CVE-2024-52286 is a critical vulnerability in Stirling-PDF that allows unauthenticated users to execute JavaScript code through the Merge functionality by uploading files with malicious HTML tags in their names, impacting only the user who uploads the file. This self-injection attack has been addressed in version 0.32.0, and users are strongly advised to upgrade, as there are no known workarounds. There is no indication of exploitation in the wild or proof-of-concept exploits mentioned in the article. See article
Feedly estimated the CVSS score as MEDIUM
Feedly estimated the CVSS score as HIGH
Feedly estimated the CVSS score as MEDIUM
EPSS Score was set to: 0.04% (Percentile: 10.1%)