CVE-2024-11493 Overview
CVE-2024-11493 is a cross-site scripting (XSS) vulnerability affecting 115cms versions up to 20240807. The flaw resides in the /index.php/setpage/admin/pageAE.html endpoint, where the tid parameter is reflected without proper sanitization. An authenticated remote attacker can inject arbitrary script content that executes in a victim's browser session. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Public disclosure has occurred, and the vendor did not respond to outreach prior to publication.
Critical Impact
Successful exploitation enables session hijacking, credential theft via injected forms, and execution of unauthorized administrative actions within the 115cms backend.
Affected Products
- 115cms versions up to and including 20240807
- Component: /index.php/setpage/admin/pageAE.html
- Vulnerable parameter: tid
Discovery Timeline
- 2024-11-20 - CVE-2024-11493 published to NVD
- 2024-11-22 - Last updated in NVD database
Technical Details for CVE-2024-11493
Vulnerability Analysis
The vulnerability is a reflected cross-site scripting flaw in the 115cms administrative page editor. The script /index.php/setpage/admin/pageAE.html accepts a tid argument from the HTTP request and renders its value into the response output without applying contextual output encoding or input filtering. As a result, an attacker can craft a URL containing JavaScript payloads in tid and deliver it to an authenticated user. When the target loads the URL, the browser executes the attacker-controlled code under the origin of the 115cms application. The flaw requires low privileges and no user interaction beyond clicking a malicious link.
Root Cause
The root cause is improper neutralization of input during web page generation, mapped to CWE-79. The application trusts the tid parameter and writes it into HTML output without HTML-entity encoding or allowlist validation. No content security policy mitigates the injection, and the administrative context provides access to sensitive functionality.
Attack Vector
The attack is network-based and requires an authenticated session with at least low privileges. An attacker constructs a request such as /index.php/setpage/admin/pageAE.html?tid=<payload>, where <payload> is a script fragment. Delivery typically occurs via phishing or a crafted link sent to an authenticated administrator. Upon execution, the injected script can read cookies that are not marked HttpOnly, manipulate the DOM to capture credentials, or issue background requests to administrative endpoints. Technical details are documented in the GitHub Issue Discussion and VulDB entry #285508.
Detection Methods for CVE-2024-11493
Indicators of Compromise
- HTTP requests to /index.php/setpage/admin/pageAE.html containing script tags, event handlers (onerror=, onload=), or encoded payloads in the tid parameter.
- Unexpected outbound requests from administrator browsers to attacker-controlled domains shortly after accessing the admin panel.
- Anomalous administrative actions originating from valid sessions, suggesting hijacked cookies or forged requests.
Detection Strategies
- Inspect web server access logs for tid query strings containing <, >, script, javascript:, %3C, or other encoded XSS markers.
- Deploy a Web Application Firewall (WAF) signature targeting reflected XSS patterns on the pageAE.html endpoint.
- Correlate admin login events with subsequent unusual DOM-modifying or data-exfiltrating browser activity.
Monitoring Recommendations
- Forward 115cms web access logs to a centralized log analytics platform and alert on suspicious query parameter content.
- Monitor administrator endpoints for browser-based command-and-control indicators and credential theft behavior.
- Track session token usage patterns to identify reuse from unexpected IP addresses or user agents.
How to Mitigate CVE-2024-11493
Immediate Actions Required
- Restrict access to the 115cms administrative interface to trusted IP ranges or VPN-only access until a patch is available.
- Educate administrators not to click untrusted links while authenticated to the CMS.
- Enable HttpOnly and Secure flags on session cookies to limit the impact of script execution.
Patch Information
No vendor patch has been published. The vendor did not respond to disclosure outreach according to the VulDB advisory. Operators should consider migrating to an alternative CMS or implementing compensating controls until a fix is released.
Workarounds
- Deploy a reverse proxy or WAF rule that rejects requests to /index.php/setpage/admin/pageAE.html when the tid parameter contains HTML control characters or script keywords.
- Apply a strict Content-Security-Policy header that disallows inline scripts to reduce exploitability.
- Filter and HTML-entity encode the tid parameter at the application or proxy layer before it reaches the vulnerable handler.
# Example NGINX rule to block obvious XSS payloads in the tid parameter
location /index.php/setpage/admin/pageAE.html {
if ($args ~* "tid=[^&]*(<|%3C|script|javascript:|onerror=|onload=)") {
return 403;
}
proxy_pass http://115cms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
