Haxcms Stored XSS to Mass Token Exfiltration and Cross-Tenant Hijack (CVE-2024-4911)

Vulnerability Overview Mass Token Exfiltration and Cross-Tenant Hijack Description: This vulnerability leverages Stored XSS and dynamic token exposure to enable cross-tenant account takeover. API responses dynamically leak authentication tokens (including , , , and ) for active sessions into the global JavaScript variable . An attacker can exploit the XSS vulnerability to force the victim's browser to silently retrieve specific connection settings, extract the tokens, and exfiltrate them to a webhook controlled by the attacker. Scope of Impact Affected Versions: - : <= 25.0.0 - : <= 25.0.0 Fixed Versions: - : 26.0.0 - : 26.0.0 Severity: Critical CVE ID: CVE-2024-4911 Weaknesses: - CWE-79 - CWE-522 - CWE-922 Remediation Fix: Upgrade to version 26.0.0 or higher. Proof of Concept (POC) Code Execution and Verification 1. Set up Webhook Target: Prepare an external webhook (e.g., webhook.site) to receive the stolen data. 2. Inject "Kill Chain" Payload: As an authenticated attacker (e.g., any user with edit access to a site), inject the following JavaScript code via a verified Stored XSS vector (e.g., by inspecting the page's HTML source and writing an ). 3. Execution and Verification: - When the victim (e.g., user ) views the tampered page, their browser automatically triggers the request, silently attaching their active session cookies. - The server responds with their connection settings. - The script parses their , , and other keys, encoding them in Base64. - The attacker receives a complete dump of the JWT and tokens in their webhook. Impact Severity: Critical Impact Description: This attack completely compromises the main defense mechanisms of the CMS. By stealing the and , an attacker can achieve full account takeover without needing the victim's password. They can impersonate the victim, bypass standard interface restrictions, and execute malicious administrative actions (creating/deleting sites, modifying user permissions, or uploading malicious content). The reliance on the global JavaScript variable to store long-lived administrative security tokens, when combined with XSS, creates a devastating vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Haxcms Stored XSS to Mass Token Exfiltration and Cross-Tenant Hijack (CVE-2024-4911)

More from this source