Skip to main content

CVE-2024-0758: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Medium
VulnerabilityCVE-2024-0758cvecve-2024-0758cwe-79
Published: Fri Jan 19 2024 (01/19/2024, 20:19:40 UTC)
Source: CVE Database V5

Description

MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles.

AI-Powered Analysis

AILast updated: 07/08/2025, 16:43:32 UTC

Technical Analysis

CVE-2024-0758 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting MolecularFaces versions prior to 0.3.0. MolecularFaces is a software component that processes molecular file formats (molfiles). The vulnerability arises due to improper neutralization of input during web page generation, allowing an attacker to inject and execute arbitrary JavaScript code within the context of a victim's browser. Specifically, a remote attacker can craft malicious molfiles that, when processed by a vulnerable MolecularFaces instance and viewed by a user, trigger the execution of attacker-controlled scripts. This can lead to unauthorized actions such as session hijacking, credential theft, or redirection to malicious sites. The CVSS v3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is not affected. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on January 19, 2024.

Potential Impact

For European organizations, this vulnerability poses a moderate risk, particularly for those using MolecularFaces in web applications or internal tools that process molecular data. Exploitation could lead to unauthorized script execution in users' browsers, potentially compromising user sessions and sensitive data. This is especially concerning for research institutions, pharmaceutical companies, and chemical industries prevalent in Europe that rely on molecular visualization or analysis tools. The vulnerability could be leveraged in targeted phishing campaigns where malicious molfiles are sent to employees, leading to credential theft or lateral movement within networks. Although the impact on availability is negligible, the breach of confidentiality and integrity could result in data leaks or manipulation, undermining trust and compliance with data protection regulations such as GDPR. The requirement for user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments where users frequently handle molecular data files.

Mitigation Recommendations

European organizations should implement several specific mitigations: 1) Immediately upgrade MolecularFaces to version 0.3.0 or later once available to ensure the vulnerability is patched. 2) Until patches are released, implement strict input validation and sanitization on all molecular file inputs, ensuring that any embedded scripts or suspicious content are neutralized before rendering. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, limiting the impact of potential XSS attacks. 4) Educate users, especially those in scientific and research roles, about the risks of opening untrusted molfiles and encourage verification of file sources. 5) Monitor network and application logs for unusual activity related to molecular file processing. 6) Use web application firewalls (WAFs) with custom rules to detect and block malicious payloads embedded in molfiles. 7) Isolate molecular file processing components in sandboxed environments to contain potential exploitation effects.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulnCheck
Date Reserved
2024-01-19T17:35:18.459Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6839c41d182aa0cae2b435b9

Added to database: 5/30/2025, 2:43:41 PM

Last enriched: 7/8/2025, 4:43:32 PM

Last updated: 8/15/2025, 9:22:58 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats