CVE-2024-53599

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability exists in the /scroll.php endpoint of LafeLabs Chaos version 0.0.1. The application fails to properly sanitize user-supplied input before reflecting it back in the HTTP response, enabling an attacker to inject arbitrary HTML or JavaScript code.[1]

Attack

Vector and Prerequisites

The vulnerability can be triggered by crafting a malicious URL containing a payload in the affected parameter. No authentication is required, as the endpoint appears accessible to unauthenticated users. Successful exploitation requires the victim to click on the crafted link (e.g., via phishing or social engineering), after which the injected script executes in the context of the victim's browser session.[1]

Impact

An attacker can execute arbitrary web scripts in the victim's browser, leading to potential session hijacking, credential theft, defacement, or redirection to malicious sites. The CVSS v3 base score of 5.4 (Medium) reflects the moderate impact and the requirement for user interaction.[1]

Mitigation

As of the publication date (2024-11-25), no patch or updated version has been released by the vendor. Users are advised to apply input validation and output encoding for the scroll.php parameter, or to discontinue use of the software until a fix is available.[1]