Full Report
CERT Polska has received a report about 11 vulnerabilities found in Internet Starter module of SoftCOM iKSORIS software.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SoftCOM iKSORIS Internet Starter Module
## CVE Details
The report covers 11 vulnerabilities, but the provided text details the following 9:
- **CVE ID:** CVE-2024-10087
- **CVSS Score:** N/A (Severity not provided, assuming Medium/High due to XSS)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation (XSS))
- **CVE ID:** CVE-2024-10088
- **CVSS Score:** N/A
- **CWE:** CWE-79 (Cross-site Scripting)
- **CVE ID:** CVE-2024-10089
- **CVSS Score:** N/A
- **CWE:** CWE-79 (Cross-site Scripting)
- **CVE ID:** CVE-2024-10090
- **CVSS Score:** N/A
- **CWE:** CWE-79 (Cross-site Scripting)
- **CVE ID:** CVE-2024-13597
- **CVSS Score:** N/A
- **CWE:** CWE-79 (Cross-site Scripting)
- **CVE ID:** CVE-2024-13598
- **CVSS Score:** N/A
- **CWE:** CWE-79 (Cross-site Scripting)
- **CVE ID:** CVE-2024-49705
- **CVSS Score:** N/A
- **CWE:** CWE-248 (Uncaught Exception)
- **CVE ID:** CVE-2024-49706
- **CVSS Score:** N/A
- **CWE:** CWE-601 (URL Redirection to Untrusted Site / Open Redirect)
- **CVE ID:** CVE-2024-49707
- **CVSS Score:** N/A
- **CWE:** CWE-79 (Reflected XSS)
- **CVE ID:** CVE-2024-49708
- **CVSS Score:** N/A
- **CWE:** CWE-79 (Stored XSS)
- **CVE ID:** CVE-2024-49709
- **CVSS Score:** N/A
- **CWE:** Session Management (Implied, related to session cookie mismanagement)
## Affected Systems
- **Products:** SoftCOM iKSORIS (Internet Starter module)
- **Versions:** All versions prior to 79.0 (Note: CVE-2024-10090 affects versions before 1.78.28, which is likely encompassed by the 79.0 upgrade)
- **Configurations:** General usage configurations, potentially involving form submissions, URL parameters, and session handling.
## Vulnerability Description
The module is affected by multiple Cross-Site Scripting (XSS) vulnerabilities (Stored, Reflected, and generalized CWE-79 issues) arising from improper input neutralization when creating new parameters or handling form inputs (including password reset and delivery address forms).
1. **XSS (CVE-2024-10087, -10088, -10089, -13597, -13598, -49707, -49708):** Malicious scripts can be executed in the context of a victim user by tricking them into inputting malicious payloads into vulnerable forms.
2. **Denial of Service (DoS) (CVE-2024-49705):** Client-side DoS can occur if a user navigates to a URL with a specially crafted `_d_` parameter, causing the server to return an unhandled error that persists via session cookies until the session expires or cookies are manually deleted. A similar effect occurs when changing the platform language to an unimplemented one.
3. **Open Redirect (CVE-2024-49706):** An attacker can inject base64 encoded URLs into the `_target_` parameter sent via POST requests, leading to redirection to untrusted sites.
4. **Session Hijacking (CVE-2024-49709):** The module improperly allows setting arbitrary session cookie values. An attacker with access to the user's browser could set this cookie, allowing session takeover upon user login. Furthermore, the system fails to destroy old sessions when new ones are created, extending the window for successful account takeover.
## Exploitation
- **Status:** PoC available (Implied, as these are tracked advisories, though explicit PoC public disclosure is not confirmed in the text, the mechanisms suggest easy exploitability).
- **Complexity:** Likely Low to Medium, given multiple XSS vectors and direct session cookie manipulation.
- **Attack Vector:** Network (via malicious links/POST requests) or potentially Local (if an attacker gains access to the user's browser context).
## Impact
- **Confidentiality:** High (due to XSS and potential session hijacking).
- **Integrity:** High (due to XSS scripts running in user context, leading potentially to data modification).
- **Availability:** Medium (DoS vulnerability described in CVE-2024-49705).
## Remediation
### Patches
- **All specified vulnerabilities are patched in version 79.0 of SoftCOM iKSORIS.**
### Workarounds
- **For CVE-2024-49705 (DoS):** Users should avoid clicking suspicious links containing the `_d_` parameter or attempting to change the platform language to unknown locales until patched.
- **For CVE-2024-49709 (Session Hijacking):** Implement strict session management policies; users should manually clear cookies if compromise is suspected, although upgrading is the definitive fix.
## Detection
- **Indicators of Compromise:** Unintended cross-site navigation, unexpected administrative actions performed by users, unusually high error rates associated with specific parameter inputs (`_d_`), or session tokens being used outside of expected origination.
- **Detection methods and tools:** Traditional web application scanning tools capable of detecting Reflected and Stored XSS payloads in input fields and redirects. Monitoring server logs for unhandled exceptions related to parameter processing (especially `_d_` and language settings).
## References
- Vendor advisories (Specific URL not provided, assumed to be via SoftCOM channels)
- CERT Polska Advisory: *Vulnerabilities in SoftCOM iKSORIS software* (Published 14 April 2025)
- Coordinated Vulnerability Disclosure process: hxxps://cert.pl/en/cvd/