DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo.php.
d7ac5458d2d0756d2d607450406a0027661faffb3740c59db51f83e2e7620fe8CVE ID: CVE-2024-30921
Description:
A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically affecting the photo.php component. This vulnerability allows remote attackers to execute arbitrary code via crafted URLs, without requiring authentication.
Vulnerability Type: Cross-Site Scripting (XSS)
Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet
Affected Product Code Base: DerbyNet - v9.0
Affected Component: photo.php
Attack Type: Remote
Impact: Code execution
Attack Vectors: The vulnerability can be exploited by navigating to a specially crafted URL such as:
- http://127.0.0.1:8000/photo.php/<img src=x onerror=alert(1)>
This method allows the attacker to inject arbitrary JavaScript that will be executed in the context of the victim's browser.
Discoverer: Valentin Lobstein
References:
- Official website: http://derbynet.com
- Source code on GitHub: https://github.com/jeffpiazza/derbynet
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed