CVE-2024-28100

Name of the Vulnerable Software and Affected Versions eLabFTW versions prior to 5.0.0

Description The issue allows a regular user to create a circumstance where a visitor's browser runs arbitrary JavaScript code in the context of the eLabFTW application by uploading specially crafted files. This can be triggered by the visitor viewing a list of experiments, enabling the malicious script to act on behalf of the visitor, including creating API keys for persistence or other options normally available to the user. If the user viewing the page has the sysadmin role in eLabFTW, the script can act as a sysadmin, including system configuration and extensive user management roles.

Recommendations For versions prior to 5.0.0, upgrade to at least version 5.0.0 to resolve the issue. As a temporary workaround, consider restricting access to uploaded files and limiting user permissions to minimize the risk of exploitation. Avoid using the application's experiment viewing feature until the issue is resolved.