CVE-2024-57372 is a Cross Site Scripting (XSS) vulnerability classified under CWE-79, found in the InformationPush master version. This vulnerability arises due to improper sanitization of user-supplied input in the title, time, and msg parameters, which are used in the application’s web interface. An attacker can craft malicious payloads that, when processed by the vulnerable application and viewed by users, execute arbitrary JavaScript in the context of the victim’s browser. The vulnerability is remotely exploitable over the network without requiring authentication (AV:N/PR:N), but it requires user interaction (UI:R), such as clicking a crafted link or viewing a manipulated page. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, potentially impacting the confidentiality and integrity of data. The CVSS v3.1 base score is 6.1, reflecting medium severity due to the potential for sensitive information disclosure and session manipulation, although availability is not impacted. No patches or fixes have been published at the time of this report, and no known exploits have been observed in the wild. The vulnerability highlights the need for proper input validation and output encoding in web applications to prevent script injection attacks.

The primary impact of CVE-2024-57372 is the potential disclosure of sensitive information through the execution of malicious scripts in users’ browsers. This can lead to theft of session tokens, user credentials, or other confidential data accessible via the web interface. Additionally, attackers might manipulate the integrity of displayed information or perform actions on behalf of the user (e.g., via session hijacking). Although availability is not affected, the breach of confidentiality and integrity can undermine trust in the affected application and lead to further exploitation within an organization’s network. Organizations relying on InformationPush for notifications or data dissemination may face risks of data leakage and targeted phishing attacks leveraging this vulnerability. The lack of authentication requirement and ease of exploitation via crafted URLs increase the attack surface, especially in environments with many users accessing the application via web browsers.

To mitigate CVE-2024-57372, organizations should implement strict input validation and output encoding for all user-controllable parameters, especially title, time, and msg fields. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Until an official patch is released, consider disabling or restricting access to vulnerable components or features that process these parameters. Security teams should monitor network traffic and logs for suspicious requests containing script payloads targeting these parameters. User education on avoiding clicking untrusted links can reduce successful exploitation. Once a patch or update is available from the InformationPush vendor, apply it promptly. Additionally, conducting regular security assessments and penetration testing focusing on XSS vulnerabilities will help identify and remediate similar issues proactively.