CVE-2024-27728 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-27728?

CVE-2024-27728 has a CVSS score of 6.1 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in Friendica's babel debug feature allows remote attackers to inject malicious scripts via the text parameter. When exploited, this can lead to session hijacking, credential theft, or unauthorized actions on behalf of users. All Friendica instances running version 2023.12 are affected.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in Friendica's babel debug feature allows remote attackers to inject malicious scripts via the text parameter. When exploited, this can lead to session hijacking, credential theft, or unauthorized actions on behalf of users. All Friendica instances running version 2023.12 are affected.

💻 Affected Systems

Products:

Friendica

Versions: 2023.12

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The babel debug feature must be enabled/accessible for exploitation. Default configurations may expose this feature.

📦 What is this software?

Friendica by Friendica

View all CVEs affecting Friendica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over administrative accounts, compromise the entire Friendica instance, and potentially pivot to other systems.

🟠

Likely Case

Attackers steal user session cookies and authentication tokens, enabling account takeover and unauthorized posting/actions on affected user accounts.

🟢

If Mitigated

With proper input validation and output encoding, the risk is limited to minor data leakage or functionality disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in a debug feature that may not be enabled in production, but exploitation is straightforward when accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.03 or later

Vendor Advisory: https://github.com/friendica/friendica/pull/13927

Restart Required: No

Instructions:

1. Update Friendica to version 2024.03 or later. 2. Apply the patch from GitHub PR #13927 if updating is not possible. 3. Verify the fix by testing the babel debug feature.

🔧 Temporary Workarounds

Disable babel debug feature

all

Disable or restrict access to the babel debug functionality in Friendica configuration.

Edit config/local.config.php and set 'system' => ['babel_debug' => false]

Implement WAF rules

all

Add web application firewall rules to block XSS payloads targeting the text parameter.

🧯 If You Can't Patch

Disable the babel debug feature immediately via configuration changes.
Implement strict Content Security Policy (CSP) headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check if Friendica version is 2023.12 and the babel debug feature is accessible/enabled.

Check Version:

Check the VERSION file in Friendica installation directory or admin panel.

Verify Fix Applied:

Test the babel debug feature with XSS payloads; successful payload execution indicates vulnerability.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to babel debug endpoints
JavaScript payloads in URL parameters or POST data

Network Indicators:

HTTP requests containing script tags or JavaScript in text parameter

SIEM Query:

source="friendica_logs" AND (uri_path="*babel*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-27728

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 15, 2024

Last Updated: June 4, 2025

🔗 References

https://github.com/friendica/friendica/pull/13927 Issue Tracking,Patch
https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-27728, you might also want to check these: