CVE-2024-26495

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Friendica versions after v.2023.12, where posts and comments can contain malicious BBCode tags that are not properly sanitized. Specifically, the [url] tag allows injection of event handlers (e.g., onmouseover) inside the URL attribute, leading to script execution when a user interacts with the link [1]. Affected versions: all Friendica releases after 2023.12 up to (and not including) the fix version (if one exists).

Exploitation

An attacker must have a valid user account on the Friendica instance and be able to create posts or comments. The attacker crafts a post with a specially formed BBCode URL tag, such as [url=http://www.example.com" onmouseover="alert('XSS')]text[/url]. When any user (including the attacker) hovers the mouse over the rendered link, the injected JavaScript executes in the context of the victim's browser [1]. No additional privileges or user interaction beyond visiting the page and hovering is required.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of users who view the malicious post. This can lead to session hijacking, data theft, or actions performed on behalf of the victim. Since posts are stored, the XSS persists and affects all users who read the post, potentially compromising the entire application's data and functionality [1].

Mitigation

As of the publication date (2024-04-03), no official patched version has been released by Friendica. The issue is tracked in the project's GitHub issue tracker [1]. Users are advised to disable BBCode rendering or apply input sanitization as a workaround until a fix is provided. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.