Login Sign Up

CVE-2024-5409

7.1 HIGH
Cross-Site Scripting

📋 TL;DR

RhinOS 3.0-1190 contains a cross-site scripting (XSS) vulnerability in the phpthumb.php component. Attackers can craft malicious URLs with the 'tamper' parameter to steal session cookies or credentials when victims visit the link. This affects all RhinOS installations running the vulnerable version.

💻 Affected Systems

Products:
  • RhinOS
Versions: 3.0-1190
Operating Systems: Linux-based systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default installation when phpthumb.php is accessible.

📦 What is this software?

Rhinos by Saltos

View all CVEs affecting Rhinos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, administrative access compromise, and potential lateral movement within the system.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts and potential data exposure.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple URL-based attack requiring victim interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-rhinos-saltos

Restart Required: No

Instructions:

1. Check vendor advisory for updates. 2. Apply any available patches. 3. Validate fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and output encoding for the 'tamper' parameter.

# Modify phpthumb.php to sanitize input
# Example: htmlspecialchars($_GET['tamper'], ENT_QUOTES, 'UTF-8')

Access Restriction

linux

Restrict access to /admin/lib/phpthumb/phpthumb.php to trusted IPs only.

# Apache: Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: allow 192.168.1.0/24; deny all;

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads in the 'tamper' parameter.
  • Monitor and alert on suspicious access patterns to the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Test by accessing /admin/lib/phpthumb/phpthumb.php?tamper=<script>alert('XSS')</script> and checking if script executes.

Check Version:

Check RhinOS version in administration panel or configuration files.

Verify Fix Applied:

Retest the vulnerable endpoint with XSS payloads to ensure no script execution occurs.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /admin/lib/phpthumb/phpthumb.php with script tags or encoded payloads in parameters.
  • Unusual session creation or access from new locations.

Network Indicators:

  • Outbound connections to attacker-controlled domains following access to the vulnerable URL.

SIEM Query:

source="web_logs" AND uri="/admin/lib/phpthumb/phpthumb.php" AND (param="tamper" AND value MATCHES "<script|javascript:")

📊 Metadata

CVE ID: CVE-2024-5409
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: May 27, 2024
Last Updated: June 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5409, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)