CVE-2024-34749

Overview

Phormer, a lightweight PHP photo gallery manager that uses XML databases instead of MySQL, contains a reflected cross-site scripting (XSS) vulnerability in versions prior to 3.35 [1][2][3]. The root cause is improper neutralization of user input during output generation, which allows an attacker to inject arbitrary HTML or JavaScript into the application's response pages [3].

Attack

Vector This vulnerability can be exploited remotely by an unauthenticated attacker through crafted HTTP requests [3]. No special network position or credentials are required; the attacker only needs to convince a victim to click a maliciously crafted link, triggering the XSS payload in the victim's web browser session [3]. The CVSS v3 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms the low attack complexity and lack of privilege requirements [3].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser [3]. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, all within the vulnerable Phormer application's trust boundary.

Mitigation

The developer released version 3.35 on February 7, 2024, which addresses the XSS issue [2][3]. Users are strongly advised to update to this latest version. Note that the original project ended in 2007 and no further support is expected, but the 3.35 release specifically fixes this security flaw [1][3].