CVE-2024-10288 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-10288?

CVE-2024-10288 has a CVSS score of 6.1 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in LocalServer 1.0.9 allows attackers to inject malicious scripts via the ListName parameter in the /mlss/SubscribeToList endpoint. When exploited, it can steal authenticated users' session details. Organizations running LocalServer 1.0.9 are affected.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in LocalServer 1.0.9 allows attackers to inject malicious scripts via the ListName parameter in the /mlss/SubscribeToList endpoint. When exploited, it can steal authenticated users' session details. Organizations running LocalServer 1.0.9 are affected.

💻 Affected Systems

Products:

LocalServer

Versions: 1.0.9

Operating Systems: All platforms running LocalServer

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /mlss/SubscribeToList endpoint to be accessible and the attacker to trick an authenticated user into clicking a malicious link.

📦 What is this software?

Localserver by Ujangrohidin

View all CVEs affecting Localserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrative session tokens, gain full system access, and potentially compromise the entire server infrastructure.

🟠

Likely Case

Session hijacking leading to unauthorized access to sensitive data and functionality within the LocalServer application.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to deliver malicious payload to authenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-localserver

Restart Required: No

Instructions:

1. Monitor vendor for security updates. 2. Apply patches when available. 3. Test in non-production environment first.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization of the ListName parameter to remove or encode malicious scripts.

Implement input validation in application code for ListName parameter

Web Application Firewall (WAF) Rules

all

Configure WAF to block requests containing XSS payloads targeting the /mlss/SubscribeToList endpoint.

Add WAF rule to detect and block malicious ListName parameter values

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Restrict access to /mlss/SubscribeToList endpoint to trusted users only

🔍 How to Verify

Check if Vulnerable:

Test the /mlss/SubscribeToList endpoint with XSS payloads in the ListName parameter and check if scripts execute.

Check Version:

Check LocalServer version in application interface or configuration files

Verify Fix Applied:

Retest with XSS payloads after implementing fixes to confirm scripts are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /mlss/SubscribeToList with encoded scripts in parameters
Multiple failed authentication attempts followed by XSS payload requests

Network Indicators:

HTTP requests containing script tags or JavaScript in ListName parameter
Traffic patterns showing social engineering attempts

SIEM Query:

source="webserver" AND uri="/mlss/SubscribeToList" AND (query="<script>" OR query="javascript:")

📊 Metadata

CVE ID: CVE-2024-10288

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: October 23, 2024

Last Updated: October 24, 2024

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-xss-vulnerabilities-localserver Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10288, you might also want to check these: