Multiple XSS vulnerabilities in LocalServer
LocalServer, version 1.0.9.
INCIBE has coordinated the publication of 4 vulnerabilities of medium severity affecting LocalServer (developed by Ujang Rohidin) in its version 1.0.9, a software for Windows that allows turning a PC into a local web server where the Apache, PHP and MySQL servers are located, which have been discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- from CVE-2024-10286 to CVE-2024-10289: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
There is no reported solution at this time.
Cross-Site Scripting (XSS) vulnerabilities affecting LocalServer 1.0.9 that could allow a remote user to send a specially crafted query to an authenticated user and steal their session details. The list of assigned parameters and identifiers is as follows:
- CVE-2024-10286: parameter to in /testmail/index.php.
- CVE-2024-10287: parameter ListName in /mlss/ForgotPassword.
- CVE-2024-10288: parameter ListName in /mlss/SubscribeToList.
- CVE-2024-10289: parameter MSubListName in /mlss/ManageSubscription.
