VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 20, 2024· Updated Mar 13, 2025

CVE-2024-39094

CVE-2024-39094

Description

Stored XSS in Friendica 2024.03 via homepage, xmpp, and matrix profile parameters allows arbitrary script execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Friendica 2024.03 via homepage, xmpp, and matrix profile parameters allows arbitrary script execution.

Vulnerability

Friendica version 2024.03 is vulnerable to stored Cross-Site Scripting (XSS) in the /settings/profile page via the homepage, xmpp, and matrix parameters [1][3]. The input is not sanitized before being stored and later reflected on /profile/[username] endpoints, enabling injection of arbitrary JavaScript [3].

Exploitation

An attacker only needs to be able to access the profile settings page and submit malicious payloads through the homepage, xmpp, or matrix fields [3]. No special network position or authentication beyond a standard Friendica user account is required. The injected script is stored and executed when any other user views the attacker's profile page [3].

Impact

Successful exploitation results in stored XSS, allowing arbitrary JavaScript execution in the context of a victim's browser session [3]. This can lead to session hijacking, defacement, or unauthorized actions performed on behalf of the victim [3]. The attacker does not need additional privileges beyond a regular user account to achieve this compromise.

Mitigation

Friendica 2024.08, released on August 17, 2024, includes fixes for this vulnerability [1][2]. Administrators are strongly recommended to update their installations to 2024.08 immediately [1]. No workaround is documented for the vulnerable 2024.03 version.

References
  1. Friendica 2024.08 released – friendica
  2. Release Friendica 2024.08 released · friendica/friendica
  3. /settings/profile - Stored XSS via homepage, xmpp and matrix parameters

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
6d605f24eef1
https://github.com/friendica/friendicavia osv
commit

Vulnerability mechanics

Root cause

"The application does not properly sanitize user-supplied input in profile settings, leading to Cross-Site Scripting."

Attack vector

An attacker can exploit this vulnerability by crafting a malicious URL that includes XSS payloads within the homepage, xmpp, or matrix parameters in the settings/profile section. When a victim visits this crafted URL, the malicious script is executed in their browser. This could lead to session hijacking or other malicious actions.

Affected code

The vulnerability exists in the settings/profile endpoint, specifically affecting the homepage, xmpp, and matrix parameters.

What the fix does

The advisory indicates that Friendica 2024.08 includes fixes for security issues reported by researchers [ref_id=1]. While a specific patch file is not detailed, the release notes strongly recommend all administrators update to this version to benefit from the security enhancements. The update addresses vulnerabilities, including the XSS issue in profile settings.

Preconditions

  • inputUser-supplied input in homepage, xmpp, or matrix parameters.
  • authThe attacker needs to trick a victim into visiting a malicious URL.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.