CVE-2024-36498 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in Image Access GmbH's Scan2Net product, version 7.40. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the 'Edit Disclaimer Text' feature within the configuration menu. This function is accessible only to users with Poweruser or Admin privileges via a specific URL endpoint. An attacker with access to these roles can inject arbitrary JavaScript code into the disclaimer text, which is then stored and executed every time the ScanWizard interface loads, including in the Kiosk-mode browser environment. This persistent XSS allows the attacker to run malicious scripts in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. Although a fix was implemented in version 7.40, it was found to be insufficient as the payload can bypass sanitization by double URL-encoding the JavaScript code. The vulnerability has a CVSS 3.1 base score of 4.7, indicating medium severity, with an attack vector over the network, low attack complexity, no privileges required, but requiring user interaction. No known exploits have been reported in the wild as of the publication date. The vulnerability affects the confidentiality and integrity of user sessions but does not impact availability. The scope is limited to users who load the ScanWizard interface after the malicious payload has been injected.

For European organizations using Image Access GmbH Scan2Net scanners, this vulnerability poses a risk of session hijacking, unauthorized actions, and potential compromise of user credentials or sensitive information within the scanner's web interface. Since the vulnerability affects the administrative configuration interface, attackers who gain or already have Poweruser or Admin access can implant persistent malicious scripts that execute for other users, potentially leading to lateral movement or further compromise within the network. The impact is particularly relevant for organizations relying on Scan2Net devices for document scanning workflows, including government agencies, financial institutions, and enterprises with strict data handling requirements. Exploitation could undermine trust in document processing integrity and expose internal users to phishing or malware delivery via the scanner interface. Although the vulnerability does not directly affect system availability, the integrity and confidentiality risks could lead to compliance violations under GDPR if personal data is exposed or manipulated. The medium severity score reflects the need for timely remediation to prevent exploitation, especially in environments where multiple users access the scanner interface.

European organizations should immediately verify the Scan2Net product version in use and upgrade to a version where the vulnerability is fully patched beyond the partial fix in 7.40. If an updated version is not yet available, restrict access to the 'Edit Disclaimer Text' function strictly to trusted administrators and monitor for suspicious activity. Implement network segmentation and access controls to limit exposure of the scanner's web interface to only authorized personnel. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to inject or execute encoded JavaScript payloads targeting the vulnerable endpoint. Conduct regular security audits and penetration tests focusing on the scanner's web interface to identify any residual injection vectors. Educate administrators about the risks of stored XSS and the importance of sanitizing input fields, even in administrative functions. Additionally, monitor logs for unusual access patterns or repeated attempts to exploit the vulnerability. Finally, consider disabling the 'Edit Disclaimer Text' feature if it is not essential to operations until a secure patch is applied.