CVE-2024-56517
Description
LGSL (Live Game Server List) provides online status lists for online video games. Versions up to and including 6.2.1 contain a reflected cross-site scripting vulnerability in the Referer HTTP header. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the Referer header, it is echoed back into an HTML attribute in the application’s response. Commit 7ecb839df9358d21f64cdbff5b2536af25a77de1 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-56517 is a reflected XSS in LGSL <=6.2.1 via unsanitized Referer header, allowing arbitrary JavaScript injection.
Root
Cause LGSL versions up to and including 6.2.1 suffer from a reflected cross-site scripting (XSS) vulnerability in the handling of the HTTP Referer header. The application echoes the value of the Referer header directly into an HTML attribute in the response without proper sanitization or encoding. This insufficient input validation allows attackers to inject arbitrary JavaScript code through a crafted Referer header [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link or request that sets a Referer header containing JavaScript payload. When a user (or automated process) makes a request to a vulnerable endpoint on the LGSL application, the injected script is reflected in the HTML response. The attack requires no authentication or special privileges; any HTTP request to a vulnerable page can trigger the reflection. The vulnerability is classified as reflected XSS, meaning the payload is not stored on the server but is immediately returned in the server's response [1].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser and the LGSL application's origin. An attacker could perform actions on behalf of the victim (such as stealing session cookies, redirecting to malicious sites, or defacing the page). The CVSS score of 5.4 (Medium) indicates a moderate risk, as the attack requires user interaction (e.g., clicking a link) and the impact to confidentiality and integrity is limited, though availability is unaffected.
Mitigation
The vulnerability is patched in commit 7ecb839df9358d21f64cdbff5b2536af25a77de1. LGSL users are strongly advised to update to the latest fixed version. There is no indication that this CVE is listed in the Known Exploited Vulnerabilities (KEV) catalog as of publication date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tltneon/lgslPackagist | <= 6.2.1 | — |
Affected products
3Patches
11 file changed · +2 −2
lgsl_files/lgsl_list.php+2 −2 modified@@ -20,7 +20,7 @@ $uri = $_SERVER['REQUEST_URI']; if ($lgsl_config['preloader']) { - $uri = $_SERVER['HTTP_REFERER']; + $uri = htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES, 'UTF-8'); } $server_list = lgsl_query_group(array("type" => $type, "game" => $game, "page" => $page)); @@ -142,4 +142,4 @@ $output .= "<div style='text-align:center; font-family:tahoma; font-size:9px; padding: 33px 0 11px 0;'><a href='https://github.com/tltneon/lgsl' style='text-decoration:none'>".lgsl_version()."</a></div>"; //--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ if ($lgsl_config['preloader']) - echo $output; \ No newline at end of file + echo $output;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-ggwq-xc72-33r3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56517ghsaADVISORY
- github.com/tltneon/lgsl/blob/master/lgsl_files/lgsl_list.phpnvdWEB
- github.com/tltneon/lgsl/commit/7ecb839df9358d21f64cdbff5b2536af25a77de1nvdWEB
- github.com/tltneon/lgsl/security/advisories/GHSA-ggwq-xc72-33r3nvdWEB
News mentions
0No linked articles in our index yet.