CVE-2024-45879

Name of the Vulnerable Software and Affected Versions baltic-it TOPqw Webportal versions 1.35.287.1 through 1.35.290

Description The issue concerns a Cross-Site Scripting (XSS) vulnerability in the file upload function of the "QWKalkulation" tool. To exploit this vulnerability, an attacker must be authenticated to the application using the "TOPqw Webportal". Once authenticated, the attacker can persistently place malicious JavaScript code in the "QWKalkulation" menu. The vulnerable endpoint is /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx.

Recommendations For versions 1.35.287.1 through 1.35.290, update to version 1.35.291 to resolve the issue. As a temporary workaround, consider restricting access to the "QWKalkulation" tool and the file upload function in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx to minimize the risk of exploitation.