lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <MufzDNNo75gYxdBZ4Mx76gzOz643opuy9w84m-JH0JvuZYxnQOVqlTrsUOXSq7s3aSOTzttIynsaj1DQcK6wFlxb7O3FOIv_aR0OZ1K7RgY=@protonmail.com> Date: Wed, 03 Apr 2024 18:38:13 +0000 From: Valentin Lobstein via Fulldisclosure <fulldisclosure@...lists.org> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] CVE-2024-30921: Unauthenticated XSS Vulnerability in DerbyNet v9.0 via photo.php CVE ID: CVE-2024-30921 Description: A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically affecting the photo.php component. This vulnerability allows remote attackers to execute arbitrary code via crafted URLs, without requiring authentication. Vulnerability Type: Cross-Site Scripting (XSS) Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet Affected Product Code Base: DerbyNet - v9.0 Affected Component: photo.php Attack Type: Remote Impact: Code execution Attack Vectors: The vulnerability can be exploited by navigating to a specially crafted URL such as: - http://127.0.0.1:8000/photo.php/<img src=x onerror=alert(1)> This method allows the attacker to inject arbitrary JavaScript that will be executed in the context of the victim's browser. Discoverer: Valentin Lobstein References: - Official website: http://derbynet.com - Source code on GitHub: https://github.com/jeffpiazza/derbynet _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists