Wavelog Live QSO Vulnerability: Remote Cross Site Scripting Attack Possible
CVE-2024-8521
Key Information:
- Vendor
- Wavelog
- Status
- Wavelog
- Vendor
- CVE Published:
- 7 September 2024
Badges
Summary
A cross-site scripting vulnerability has been identified in Wavelog's Live QSO component, specifically affecting versions up to 1.8.0. The issue resides in the argument manipulation within the index function of the /qso file, which can be exploited remotely by attackers. The vulnerability allows malicious actors to execute arbitrary scripts in the context of the user's session, posing significant security risks. To mitigate these risks, it is highly recommended that users upgrade to version 1.8.1, which includes a patch identified by commit b31002cec6b71ab5f738881806bb546430ec692e.
Affected Version(s)
Wavelog 1.0
Wavelog 1.1
Wavelog 1.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
prophaze.comCVE-2024-8521CVE-2024-8521 : WAVELOG UP TO 1.8.0 LIVE QSO /QSO INDEX MANUAL CROSS SITE SCRIPTING - Prophaze Web Application Security
CVE-2024-8521 : A vulnerability, which was classified as problematic, was found in Wavelog up to 1.8.0. Affected is the function index of the file /qso of the component Live QSO.
4 months ago
References
CVSS V3.1
Timeline
- π°
First article discovered by prophaze.com
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved