Multiple XSS vulnerabilities in LocalServer

Posted date 23/10/2024
Identificador
INCIBE-2024-0528
Importance
3 - Medium
Affected Resources

LocalServer, version 1.0.9.

Description

INCIBE has coordinated the publication of 4 vulnerabilities of medium severity affecting LocalServer (developed by Ujang Rohidin) in its version 1.0.9, a software for Windows that allows turning a PC into a local web server where the Apache, PHP and MySQL servers are located, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • from CVE-2024-10286 to CVE-2024-10289: 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
Solution

There is no reported solution at this time.

Detail

Cross-Site Scripting (XSS) vulnerabilities affecting LocalServer 1.0.9 that could allow a remote user to send a specially crafted query to an authenticated user and steal their session details. The list of assigned parameters and identifiers is as follows:

  • CVE-2024-10286: parameter to in /testmail/index.php.
  • CVE-2024-10287: parameter ListName in /mlss/ForgotPassword.
  • CVE-2024-10288: parameter ListName in /mlss/SubscribeToList.
  • CVE-2024-10289: parameter MSubListName in /mlss/ManageSubscription.
References list