CVE-2024-56517: LGSL has a reflected XSS at /lgsl_files/lgsl_list.php

December 30, 2024

A reflected XSS vulnerability exists in the Referer HTTP header of LGSL v6.2.1. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the Referer header, it is echoed back into an HTML attribute in the application’s response.

References

github.com/advisories/GHSA-ggwq-xc72-33r3
github.com/tltneon/lgsl
github.com/tltneon/lgsl/blob/master/lgsl_files/lgsl_list.php
github.com/tltneon/lgsl/commit/7ecb839df9358d21f64cdbff5b2536af25a77de1
github.com/tltneon/lgsl/security/advisories/GHSA-ggwq-xc72-33r3
nvd.nist.gov/vuln/detail/CVE-2024-56517

Detect and mitigate CVE-2024-56517 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →