Reflected XSS Vulnerability in Tungsten Automation TotalAgility
CVE-2024-7874

Currently unrated

Key Information:

Vendor

Tungsten Automation

Status
Totalagility
Vendor
CVE Published:
6 December 2024

What is CVE-2024-7874?

Tungsten Automation's TotalAgility software is susceptible to reflected cross-site scripting (XSS) attacks in all versions up to 7.9.0.25.0.954. This vulnerability arises from improper handling of the mfpConnectionId parameter, specifically when forms target the endpoints '/TotalAgility/Kofax/BrowserDevice/ScanFront.aspx' and '/TotalAgility/Kofax/BrowserDevice/ScanFrontDebug.aspx'. Attackers could exploit this vulnerability to inject malicious JavaScript code, potentially leading to sensitive information disclosure. To successfully carry out an attack, an individual must send a POST request along with a correctly generated VIEWSTATE parameter, which mitigates the overall risk of exploitation.

Affected Version(s)

TotalAgility 0 <= 7.9.0.25.0.954

References

https://www.tungstenautomation.com/products/totalagility
product
https://cert.pl/en/posts/2024/12/CVE-2024-7874
third-party-advisory
https://cert.pl/posts/2024/12/CVE-2024-7874
third-party-advisory

Timeline

  • Vulnerability published

Credit

Amin ACHOUR
Abderrahmane Bounhidja
.