CVE-2024-37672 is a medium-severity Cross Site Scripting (XSS) vulnerability identified in Tessi Docubase Document Management software, specifically version 5.x. The vulnerability arises from improper sanitization of the idactivity parameter, which can be manipulated by a remote attacker to inject malicious scripts. When a user with limited privileges interacts with a crafted URL or input containing the malicious payload, the script executes in the context of the victim’s browser. This can lead to unauthorized actions such as session hijacking, data theft, or manipulation of the user interface, compromising confidentiality and integrity of data. The vulnerability requires user interaction (UI:R) and limited privileges (PR:L), meaning the attacker must lure a user to trigger the exploit, and cannot exploit it without some level of access. The scope is changed (S:C), indicating the vulnerability affects resources beyond the attacker’s privileges, potentially impacting other users or system components. The CVSS vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, and no impact on availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The CWE-79 classification confirms this is a classic reflected or stored XSS issue.

The primary impact of this vulnerability is on confidentiality and integrity, as attackers can execute arbitrary scripts in the context of authenticated users, potentially stealing sensitive information such as session tokens or manipulating document management workflows. While availability is not affected, the breach of confidentiality and integrity can lead to unauthorized data access, privilege escalation, or further exploitation within the organization’s network. Organizations relying on Tessi Docubase for document management may face risks of data leakage, compliance violations, and reputational damage. The requirement for user interaction and limited privileges reduces the ease of exploitation but does not eliminate risk, especially in environments with many users or where phishing attacks are common. The lack of known exploits in the wild suggests the threat is currently theoretical but could be weaponized if attackers develop exploit code.

Organizations should implement strict input validation and output encoding on the idactivity parameter to prevent injection of malicious scripts. Applying Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. User education on phishing and suspicious links is critical to reduce the risk of user interaction exploitation. Monitoring web application logs for unusual parameter values or repeated attempts to inject scripts can aid in early detection. If possible, upgrade or patch the Tessi Docubase product once a vendor fix is released. In the interim, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads on the affected parameter. Restricting user privileges and session timeouts can also limit the window of opportunity for attackers. Regular security assessments and penetration testing focused on web application inputs will help identify similar vulnerabilities.