CVE-2024-42834: Stored Cross-Site Scripting (XSS) in Incognito SAC v14.11

Executive Summary

In July 2024, a stored cross-site scripting (XSS) vulnerability was discovered in the customerManager API and ManageAccount_retrieve user interface of Incognito’s Service Activation Center (SAC). The vulnerability allowed authenticated attackers with valid API access to inject arbitrary JavaScript into specific user-modifiable fields, such as lastName, which was subsequently rendered without sanitization in the SAC web interface. When a legitimate user—such as an administrator or support agent—viewed the affected record, the injected script executed automatically in their browser context. This vulnerability enabled a range of powerful attack vectors. Through stored XSS, an attacker could hijack sessions by stealing authentication cookies or tokens, perform unauthorized actions on behalf of the victim, exfiltrate sensitive information, and impersonate users within the system. Additionally, attackers could craft deceptive UI elements to phish credentials, escalate privileges, or maintain persistence in the environment. In enterprise environments where SAC is integrated with other internal systems or single sign-on (SSO) services, the impact could extend beyond the SAC platform itself.

Immediately after discovering the vulnerability, the client was contacted, and in order to avoid putting their environment at risk, the vendor was provided the opportunity to first remediate the issue and release an update to the client before any public disclosure. As the client’s trusted security partner, their security posture remains our highest priority, and the vulnerability was handled following responsible disclosure best practices to ensure minimal risk and maximum transparency

Vulnerability Details

Affected Component:

• - API: /tmf-api/customerManagement/v4/customer

• - UI Path: ManageAccount_retrieve screen

• - Vulnerable Fields: firstName, lastName, Address

An attacker with valid credentials uses the API to insert a malicious script in the lastName field. When an admin or support user opens the customer record via the SAC UI, the script executes automatically.

Proof of Concept (PoC)

Example malicious API payload:

{ "name": "XSS-ACCOUNTNAME", "characteristic": [ {"name": "subscriberType", "value": "NBAP"}, {"name": "lastName", "value": ""}, {"name": "firstName", "value": "XSS (Residential)"} ], "contactMedium": [{ "characteristic": { "city": "CITY", "country": "COUNTRY", "emailAddress": "xss@poc.poc", "phoneNumber": "1234567890", "stateOrProvince": "TEST", "street1": "ADDRESS" }, "mediumType": "BillingAddress" }], "engagedParty": {"name": "Incognito"} }

Screenshot evidence from the assessment is shown below:

Risk & Impact

Exploitability: Requires a valid user with API access.

Impact Scope: Admin/support users viewing the modified customer records.

Potential: Session hijacking, credential theft, UI injection.

Recommendations

For Vendors:

• Sanitize user input on API endpoints.

• Escape HTML/JavaScript in UI outputs.

• Apply strict Content Security Policy (CSP) headers.

• Audit all user-controllable fields rendered in HTML.

For Customers:

• Upgrade to a patched version of SAC.

• Enforce MFA on all privileged accounts.

• Monitor for unusual metadata inputs.

Disclosure Timeline

26 July 2024 - Vulnerability discovered

27 July 2024 - Vendor informed

August 2024 - CVE assigned and remediation began

November 2024 - CVE published

References

CVE-2024-42834: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42834

Incognito SAC: https://www.incognito.com/products/service-activation-center/

Credits

Vulnerability discovered by Etienne Supra, Senior Technical Tester @ Fujitsu, during a routine penetration test.