Medium severityOSV Advisory· Published Dec 26, 2024· Updated Apr 15, 2026

CVE-2024-56361

Description

LGSL (Live Game Server List) provides online status for games. Before 7.0.0, a stored cross-site scripting (XSS) vulnerability was identified in lgsl. The function lgsl_query_40 in lgsl_protocol.php has implemented an HTTP crawler. This function makes a request to the registered game server, and upon crawling the malicious /info endpoint with our payload, will render our javascript on the info page. This information is being displayed via lgsl_details.php. This vulnerability is fixed in 7.0.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tltneon/lgslPackagist	< 7.0.0	7.0.0

Affected products

Tltneon/LgslOSV2 versions
v5.10.0, v5.10.1, v5.10.2, …+ 1 more
- (no CPE)range: v5.10.0, v5.10.1, v5.10.2, …
- (no CPE)range: <7.0.0
ghsa-coords
pkg:composer/tltneon/lgsl
Range: < 7.0.0

Patches

0c66147ffb3c

https://github.com/tltneon/lgslvia osv

commit

3fbd3bb581b6

Merge commit from fork

https://github.com/tltneon/lgslNeonDec 25, 2024via ghsa

commit

1 file changed · +1 −1

lgsl_files/lgsl_details.php+1 −1 modified

@@ -208,7 +208,7 @@
         </tr>";
 
       foreach ($server['e'] as $field => $value) {
-        $value = preg_replace('/((https*:\/\/|https*:\/\/www\.|www\.)[\w\d\.\-\/=$?]*)/i', "<a href='$1' target='_blank'>$1</a>", html_entity_decode($value));
+        $value = preg_replace('/((https*:\/\/|https*:\/\/www\.|www\.)[\w\d\.\-\/=$?]*)/i', "<a href='$1' target='_blank'>$1</a>", htmlentities($value, ENT_QUOTES, 'UTF-8'));
         $output .= "
         <tr><td> {$field} </td><td> {$value} </td></tr>";
       }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000