CVE-2024-24136 in Math Game with Leaderboard
Summary
by MITRE • 01/29/2024
The 'Your Name' field in the Submit Score section of Sourcecodester Math Game with Leaderboard v1.0 is vulnerable to Cross-Site Scripting (XSS) attacks.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/21/2025
The vulnerability identified as CVE-2024-24136 resides within the Sourcecodester Math Game with Leaderboard version 1.0 application, specifically targeting the 'Your Name' input field within the Submit Score functionality. This represents a classic cross-site scripting weakness that allows malicious actors to inject arbitrary JavaScript code into the application's response, potentially compromising user sessions and data integrity. The flaw manifests when user-provided input containing malicious scripts is processed and rendered without proper sanitization or encoding mechanisms.
This vulnerability falls under the CWE-79 category of Cross-Site Scripting, which is classified as a critical security weakness in web applications. The specific implementation flaw occurs in the score submission component where the application fails to adequately validate and sanitize user input before incorporating it into the web page response. The 'Your Name' field serves as the attack vector, enabling adversaries to craft payloads that execute within the context of other users' browsers when they view the leaderboard or related pages containing the submitted scores.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable session hijacking, credential theft, and data manipulation within the affected application. An attacker could craft malicious input that, when submitted, would execute in the browser of any user viewing the leaderboard, potentially redirecting them to phishing sites or stealing session cookies. The vulnerability is particularly concerning in a leaderboard context where user submissions are publicly visible, amplifying the attack surface and potential damage.
Mitigation strategies for this vulnerability should include implementing comprehensive input validation and output encoding mechanisms throughout the application. The recommended approach involves sanitizing all user-provided input through proper HTML escaping and implementing Content Security Policy headers to prevent unauthorized script execution. Additionally, the application should employ proper input length restrictions and character validation to prevent injection of malicious payloads. Organizations should also consider implementing web application firewalls and regular security testing to identify similar vulnerabilities in other components of the application stack.
The attack surface for this vulnerability aligns with ATT&CK technique T1531 which focuses on 'Run-time Process Modification' and T1203 which addresses 'Exploitation for Client Execution'. This weakness creates opportunities for attackers to establish persistent access through client-side exploitation, particularly when combined with other vulnerabilities or social engineering techniques that could further compromise user systems. The vulnerability demonstrates the importance of input validation and output encoding as fundamental security controls that should be implemented across all web application components to prevent such attacks.