CVE-2024-27728
Description
Reflected XSS in Friendica 2023.12's Babel debug feature allows attackers to steal session cookies or password hashes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Friendica 2023.12's Babel debug feature allows attackers to steal session cookies or password hashes.
Vulnerability
The Babel debug feature in Friendica 2023.12 contains a reflected Cross-Site Scripting (XSS) vulnerability via the text parameter. No authentication is required to access the debug endpoint, and user interaction (e.g., clicking a crafted link) is needed. [1]
Exploitation
An attacker can craft a malicious URL containing an XSS payload in the text parameter of the Babel debug feature. The victim must visit the URL while logged into Friendica. The script executes in the victim's browser. [1]
Impact
Successful exploitation allows the attacker to steal the victim's session cookie (PHPSESSID) or password hash, leading to account takeover. Since the debug feature is typically used by administrators, the attacker could gain admin privileges. [1]
Mitigation
Upgrade to a patched version; the vulnerability was disclosed in May 2024. No specific fixed version is mentioned, but users should update to the latest Friendica release. If no patch is available, disable the Babel debug feature or restrict access. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.