Security
Headlines
HeadlinesLatestCVEs

Headline

DerbyNet 9.0 photo-thumbs.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo-thumbs.php.

Packet Storm
#xss#vulnerability#web#git#java#php#acer

CVE ID: CVE-2024-30925

Description:
A Cross-Site Scripting (XSS) vulnerability exists in DerbyNet version 9.0, specifically within the photo-thumbs.php component. This issue enables a remote attacker to execute arbitrary code through the improper handling of the racerid and back parameters. The vulnerability arises because the application dynamically generates URLs for navigation without adequately sanitizing these parameters, thus allowing the injection of malicious scripts.

Vulnerability Type: Cross-Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: photo-thumbs.php

Attack Type: Remote

Impact: Code execution

Attack Vectors:
The XSS vulnerability can be exploited through manipulation of the racerid and back parameters in the URL. Examples of such manipulation include:

  • http://127.0.0.1:8000/photo-thumbs.php?repo=head&racerid=</script><script>alert(1)</script>
  • http://127.0.0.1:8000/photo-thumbs.php?back="><script>alert(1)</script></div>

These URLs demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user’s browser session.

Discoverer: Valentin Lobstein

References:

  • Official website: http://derbynet.com
  • Source code on GitHub: https://github.com/jeffpiazza/derbynet

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution