CVE-2024-29908 in co-marquage service-public.fr Plugin
Summary
by MITRE • 03/27/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kienso Co-marquage service-public.Fr allows Stored XSS.This issue affects Co-marquage service-public.Fr: from n/a through 0.5.71.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The CVE-2024-29908 vulnerability represents a critical cross-site scripting flaw in the Kienso Co-marquage service-public.fr web application, specifically within the version range from an unspecified initial version through 0.5.71. This vulnerability falls under the category of improper neutralization of input during web page generation, a well-documented weakness that enables attackers to inject malicious scripts into web pages viewed by other users. The flaw manifests as a stored cross-site scripting vulnerability, meaning that malicious payloads persist in the application's database and are executed whenever affected pages are loaded by unsuspecting users. The vulnerability stems from inadequate sanitization of user-supplied input that is subsequently rendered in web pages without proper encoding or validation mechanisms.
The technical exploitation of this vulnerability occurs when an attacker submits malicious input through the Co-marquage service-public.fr application interface, which is then stored in the system's database. When other users access pages containing this stored content, the malicious script executes in their browsers within the context of the vulnerable application, potentially allowing attackers to steal session cookies, perform unauthorized actions on behalf of users, or redirect them to malicious sites. This stored XSS vulnerability is particularly dangerous because the malicious code persists and affects multiple users over time, unlike reflected XSS attacks that require specific user interaction. The vulnerability is classified as a CWE-79: Improper Neutralization of Input During Web Page Generation, which is a fundamental weakness in web application security that has been consistently identified as one of the most prevalent and dangerous vulnerabilities in web applications.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable sophisticated attack chains that compromise user accounts and sensitive data within the Co-marquage service-public.fr environment. Attackers could potentially escalate privileges, access confidential information, or manipulate the application's functionality to serve their malicious objectives. The vulnerability affects all versions of the application up to and including 0.5.71, indicating that organizations running these versions face immediate security risks. This flaw particularly impacts government services and public sector applications that rely on the Co-marquage platform, potentially compromising the integrity and confidentiality of sensitive information processed through these systems.
Organizations affected by CVE-2024-29908 should implement immediate mitigations including input validation and output encoding across all user-supplied data points within the application. The recommended approach involves implementing strict sanitization of all input fields and ensuring proper HTML encoding of dynamic content before rendering in web pages. Security patches should be applied immediately to upgrade to versions beyond 0.5.71 where the vulnerability has been addressed. Additionally, organizations should conduct comprehensive security testing including automated scanning and manual penetration testing to identify any potential exploitation attempts. The remediation process should follow established security frameworks such as those recommended by the OWASP Top Ten project, which emphasizes the importance of proper input validation and output encoding to prevent XSS vulnerabilities. Organizations should also consider implementing Content Security Policy headers and other defensive measures to provide additional layers of protection against script injection attacks, as outlined in the MITRE ATT&CK framework's approach to defending against web-based attacks.