CVE-2024-4724 in Legal Case Management Systeminfo

Summary

by MITRE • 05/14/2024

A vulnerability, which was classified as problematic, was found in Campcodes Legal Case Management System 1.0. Affected is an unknown function of the file /admin/case-type. The manipulation of the argument case_type_name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-263802 is the identifier assigned to this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability resides within the Campcodes Legal Case Management System version 1.0, specifically targeting the administrative functionality related to case type management. The issue manifests in the /admin/case-type endpoint where input validation fails to properly sanitize user-supplied data, creating a pathway for malicious actors to inject arbitrary script code. The vulnerable parameter case_type_name accepts unfiltered input that gets directly rendered back to users without appropriate output encoding or sanitization mechanisms.

The technical flaw represents a classic cross site scripting vulnerability that falls under CWE-79 - Improper Neutralization of Input During Web Page Generation. This weakness allows attackers to execute malicious scripts in the context of other users' browsers, potentially leading to session hijacking, data theft, or unauthorized actions within the application. The vulnerability is classified as remotely exploitable since no authentication or local access is required to initiate the attack vector.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges within the legal case management system. Given that this system handles sensitive legal information and case data, successful exploitation could result in unauthorized access to confidential client information, manipulation of case records, or complete compromise of the administrative interface. The public disclosure of the exploit (VDB-263802) significantly increases the risk level as threat actors can readily leverage this vulnerability without requiring advanced technical skills.

Mitigation strategies should include immediate implementation of input validation and output encoding mechanisms to prevent script injection attacks. The application should sanitize all user inputs through proper escaping techniques before rendering them in web pages, specifically implementing context-appropriate encoding for html, javascript, and css contexts. Additionally, implementing a content security policy can provide an additional layer of protection against unauthorized script execution. Network-level defenses such as web application firewalls should also be configured to detect and block malicious payloads targeting this specific vulnerability. The system administrators must urgently apply patches or implement workarounds to address this issue before it can be exploited by malicious actors in the wild, as evidenced by the public availability of the exploit code.

This vulnerability demonstrates the critical importance of input validation and output encoding in web applications, particularly those handling sensitive data. Organizations implementing similar legal or administrative systems should conduct comprehensive security assessments to identify and remediate similar cross site scripting vulnerabilities throughout their codebase, following the ATT&CK framework's guidance on preventing and detecting web application attacks through proper defensive measures including secure coding practices and regular vulnerability scanning procedures.

Responsible

VulDB

Disclosure

05/14/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00632

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!