CVE-2024-25976

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-25976
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-25976.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-25976
Published
2024-05-29T13:15:49Z
Modified
2025-01-08T15:53:39.662623Z
Summary
[none]
Details

When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim's browser. This is due to a fault in the file login.php where the content of "$SERVER['PHPSELF']" is reflected into the HTML of the website. Hence the attacker does not need a valid account in order to exploit this issue.

References

Affected packages

Git / github.com/hawk-digital-environments/hawki

Affected ranges

Type
GIT
Repo
https://github.com/hawk-digital-environments/hawki
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

1.*

1.0.0-beta.1