CVE-2024-53617

Published: Dec 2, 2024Modified: Dec 2, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Exploitability: 1.7 / Impact: 2.7

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A Cross Site Scripting vulnerability in LibrePhotos before commit 32237 allows attackers to takeover any account via uploading an HTML file on behalf of the admin user using IDOR in file upload.

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/LibrePhotos/librephotos/commit/32237ddc0b6293a69b983a07b5ad462fcdd6c929

Source: cve@mitre.org

https://github.com/LibrePhotos/librephotos/pull/1476

Source: cve@mitre.org

https://github.com/ii5mai1/CVE-2024-53617

Source: cve@mitre.org

Timeline

No history available yet.