[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] CVE-2024-30921: Unauthenticated XSS Vulnerability in DerbyNet v9.0 via photo.php
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] CVE-2024-30921: Unauthenticated XSS Vulnerability in DerbyNet v9.0 via photo.php
- From: Valentin Lobstein via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Wed, 03 Apr 2024 18:38:13 +0000
CVE ID: CVE-2024-30921
Description:
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet
version 9.0, specifically affecting the photo.php component. This vulnerability
allows remote attackers to execute arbitrary code via crafted URLs, without
requiring authentication.
Vulnerability Type: Cross-Site Scripting (XSS)
Vendor of Product: DerbyNet - Available on GitHub:
https://github.com/jeffpiazza/derbynet
Affected Product Code Base: DerbyNet - v9.0
Affected Component: photo.php
Attack Type: Remote
Impact: Code execution
Attack Vectors: The vulnerability can be exploited by navigating to a specially
crafted URL such as:
- http://127.0.0.1:8000/photo.php/<img src=x onerror=alert(1)>
This method allows the attacker to inject arbitrary JavaScript that will be
executed in the context of the victim's browser.
Discoverer: Valentin Lobstein
References:
- Official website: http://derbynet.com
- Source code on GitHub: https://github.com/jeffpiazza/derbynet
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/