Zucchetti Ad Hoc Infinity Stored Cross-Site Scripting Vulnerability Allowing Remote Code Execution

A stored cross-site scripting vulnerability has been identified in Zucchetti Ad Hoc Infinity version 2.4. This vulnerability allows an authenticated attacker to execute remote code by exploiting the application's handling of HTML document attachments. The issue arises from the ability to upload HTML files that contain malicious scripts, which are then executed when the attachment is accessed. The vulnerability is accessible to privileged users who can add attachments to invoices.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the application is hosted, with the executed code running in the context of the web application.

Reproduction

To reproduce this vulnerability, an authenticated user with privileges to add attachments must upload an HTML file containing a script payload through the invoice management feature. Once the file is uploaded, it will appear in the list of attachments for the invoice. Clicking on the attachment will trigger the execution of the embedded script, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to Zucchetti Ad Hoc Infinity version 4.2, where this vulnerability has been patched.