Security
Headlines
HeadlinesLatestCVEs

Headline

DerbyNet 9.0 checkin.php Cross Site Scripting

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in checkin.php.

Packet Storm
Open in Source
#xss#vulnerability#web#git#java#php

CVE ID: CVE-2024-30924

Description:
A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically within the checkin.php component. This vulnerability allows remote attackers to execute arbitrary code due to improper handling of the order URL parameter. The flaw lies in the way the order parameter is embedded directly into a JavaScript variable assignment without adequate sanitization or encoding, making it possible to inject scripts.

Vulnerability Type: Cross Site Scripting (XSS)

Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet

Affected Product Code Base: DerbyNet - v9.0

Affected Component: checkin.php

Attack Type: Remote

Impact: Code execution is possible as a result of this vulnerability.

Attack Vectors:
The XSS vulnerability can be exploited by manipulating the order parameter in the URL. For example:

  • http://127.0.0.1:8000/checkin.php?order=</script><script>alert(1)</script>
  • http://127.0.0.1:8000/checkin.php?order=';alert(1);//

These attack vectors demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user’s browser session.

Discoverer: Valentin Lobstein

References:

  • Official website: http://derbynet.com
  • Source code on GitHub: https://github.com/jeffpiazza/derbynet

Packet Storm: Latest News

Grav CMS 1.7.44 Server-Side Template Injection
Packet Storm