CVE-2024-27729

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Friendica version 2023.12 within the calendar event feature. The location parameter of event creation is not sanitized or escaped before being displayed in users' feeds. This allows an attacker to inject arbitrary JavaScript code that executes in the browsers of any user who views the event in their feed [1].

Exploitation

An attacker must be an authenticated user on the Friendica instance to create a calendar event. By setting the location parameter to a malicious script (e.g., `), the payload is stored and later rendered in the feeds of followers. No additional user interaction is required beyond viewing the event [1]. The attacker can combine this with a CSRF request to target specific users, though the primary session cookie (PHPSESSID) is set with the HttpOnly` flag, limiting direct cookie theft [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can be used to steal sensitive information such as session cookies (if HttpOnly is not enforced) or password hashes, potentially leading to account takeover. The attacker can target any user who views the malicious event, including administrators [1].

Mitigation

The vulnerability was fixed in pull request #13927, merged on February 21, 2024 [2]. Users should update Friendica to a version that includes this fix. No official workaround has been provided, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.