Apache VCL Hit by SQL Injection (CVE-2024-53678) and XSS (CVE-2024-53679) Vulnerabilities
do son 
Apache VCL (Virtual Computing Lab), a widely-used open-source cloud computing platform designed to deliver custom computing environments, is facing serious security flaws. Recent advisories have revealed two significant vulnerabilities: an SQL injection flaw and a cross-site scripting (XSS) vulnerability.
CVE-2024-53678 highlights a critical SQL injection vulnerability within the New Block Allocation form of Apache VCL. The vulnerability stems from the “Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’).” This flaw allows users to manipulate form data submitted when requesting a new Block Allocation, effectively modifying a SELECT SQL statement.
While the report indicates that the data returned by the SELECT statement is not viewable by the attacker, the ability to modify SQL queries poses a substantial risk. Successful exploitation could lead to unauthorized data manipulation or other backend database compromises. This vulnerability affects Apache VCL versions 2.2 through 2.5.1.
CVE-2024-53679 details a separate but equally concerning cross-site scripting (XSS) vulnerability in the User Lookup form of Apache VCL. This vulnerability is due to “Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’).”
A user with the necessary privileges to access the User Lookup section can craft a malicious URL, or trick another user into clicking on a specially crafted URL, to elevate the privileges of a specified user. This flaw impacts Apache VCL versions 2.1 through 2.5.1.
The consequences of these vulnerabilities can be severe, potentially leading to unauthorized access, data breaches, and system compromise. To mitigate these risks, users are strongly advised to take immediate action.
The official recommendation is to upgrade to Apache VCL version 2.5.2. This release includes the necessary fixes to patch both the SQL injection and XSS vulnerabilities. Promptly applying this update is crucial for ensuring the security and integrity of Apache VCL deployments.
