Product Name: Dynamic Dashboard
Vulnerability: Stored XSS
Vulnerable Version: >= 3.0.0, < 3.0.1
CVE: CVE-2024-47817
On October 5, 2024, the security researchers from Astra discovered a severe Stored Cross-Site Scripting vulnerability in Dynamic Dashboard’s paragraph widget. The widget, used for text and markdown, has inadequate input sanitization allowing attackers to inject malicious code. This injected code can be executed within the any user’s or admin’ browser compromising overall user security.
How Does a Stored XSS Vulnerability Occur?
Phase 1: Injection
The attack starts with the attacker injecting malicious JavaScript code into the application through various payloads and embedding it via the Markdown links in the widget.
Phase 2: Storage
The code injected through the paragraph widget is then stored into the application database and is reflected on a certain section of the application waiting for any user or admin to interact with it.
Phase 3: Execution
Every time any user or an admin visits the affected page with the paragraph widget, the malicious code is triggered in their browser sessions. This can be used for various types of exploits like data theft, account takeover or distribution of malware.
Impact of Stored XSS Vulnerability
Session Hijacking
Attackers can use this vulnerability to hijack sessions by stealing other users’ cookies or session tokens, leading to unauthorized data access and complete account takeover.
Malware Distribution
Stored XSS is a persistent vulnerability, allowing attackers to spread malware through the injected pages as XSS is triggered for every user that interacts with the infected page.
Website Defacement
Malicious scripts used for XSS can also alter webpage content , inject ads or deface the website disrupting the user experience directly affecting the trust of the users on the website.
Current Status and Mitigation
Following the discovery of the vulnerability, the Dynamic Dashboard development team was promptly notified. The team acknowledged the vulnerability affected versions >3.0.0. The team quickly applied fixes like input sanitization and output encoding in their v3.0.2 release to ensure that the user input code was not executed within the application.
What Can You Do?
Update the affected version to the latest version released by the Dynamic Dashboard team.