CVE-2024-36076

Name of the Vulnerable Software and Affected Versions SysReptor versions 2024.28 through 2024.30 SysReptor versions prior to 2024.40

Description The issue allows attackers to escalate privileges and obtain sensitive information when a logged-in SysReptor user visits a malicious same-site subdomain in the same browser session. This is due to Cross-Site WebSocket Hijacking, which enables unauthorized actions.

Recommendations For versions 2024.28 through 2024.30, update to version 2024.40 or later to resolve the issue. For versions prior to 2024.40, update to version 2024.40 or later to resolve the issue. As a temporary workaround, consider restricting access to WebSocket connections to minimize the risk of exploitation.