Login Sign Up

CVE-2024-39094

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

Friendica 2024.03 contains a cross-site scripting vulnerability in profile settings fields that allows attackers to inject malicious scripts. This affects all users who can access profile settings, potentially compromising their sessions or stealing credentials. The vulnerability exists in the homepage, xmpp, and matrix parameter fields.

💻 Affected Systems

Products:
  • Friendica
Versions: 2024.03 and earlier versions
Operating Systems: All platforms running Friendica
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with profile settings enabled are vulnerable. The vulnerability requires user interaction through profile viewing or editing.

📦 What is this software?

Friendica by Friendica

View all CVEs affecting Friendica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeover, redirect users to malicious sites, or execute actions on behalf of authenticated users.

🟠

Likely Case

Attackers could steal session tokens or credentials through crafted profile links, leading to account compromise.

🟢

If Mitigated

With proper input validation and output encoding, the risk is limited to minor data leakage or UI disruption.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to profile settings or tricking users into viewing malicious profile content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.08

Vendor Advisory: https://friendi.ca/2024/08/17/friendica-2024-08-released/

Restart Required: No

Instructions:

1. Backup your Friendica installation and database. 2. Download Friendica 2024.08 from the official repository. 3. Replace all files with the new version. 4. Run any database migrations if prompted. 5. Clear caches and verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add custom input validation for homepage, xmpp, and matrix fields to sanitize HTML/JavaScript content

# Modify profile settings validation in your Friendica installation
# Add HTML entity encoding for these fields before storage

🧯 If You Can't Patch

  • Disable profile editing functionality temporarily
  • Implement web application firewall rules to block XSS payloads in profile parameters

🔍 How to Verify

Check if Vulnerable:

Check if Friendica version is 2024.03 or earlier. Test by attempting to inject script tags in homepage, xmpp, or matrix profile fields.

Check Version:

Check Friendica version in admin panel or view version.php file

Verify Fix Applied:

After upgrading to 2024.08, attempt XSS injection in profile fields and verify scripts are properly sanitized and not executed.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags or JavaScript in profile field updates
  • Multiple failed XSS attempts in profile submissions

Network Indicators:

  • Suspicious redirects from profile pages
  • Unexpected external script loads from profile content

SIEM Query:

Search for patterns like <script>, javascript:, or encoded payloads in profile update logs

📊 Metadata

CVE ID: CVE-2024-39094
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: August 20, 2024
Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-39094, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)