CVE-2024-25807 in Lycheeinfo

Summary

by MITRE • 03/22/2024

Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/13/2025

The vulnerability CVE-2024-25807 represents a critical cross site scripting flaw in Lychee version 3.1.6 that enables remote attackers to inject malicious scripts into web applications. This vulnerability specifically targets the album creation functionality where the title parameter is processed without adequate input validation or output sanitization. The flaw exists within the web application's user interface handling mechanism, creating an attack vector that can be exploited by unauthorized individuals to manipulate the application's behavior and potentially access sensitive data. This type of vulnerability falls under the Common Weakness Enumeration category CWE-79 which specifically addresses improper neutralization of input during web page generation, making it a well-documented and severe security concern in web application development.

The technical implementation of this XSS vulnerability stems from insufficient sanitization of user input when processing album titles during creation operations. When users submit album titles containing malicious script code through the title parameter, the application fails to properly escape or validate this input before rendering it within the web page context. This allows attackers to inject JavaScript code that executes in the victim's browser context, potentially leading to session hijacking, data theft, or further exploitation of the web application. The vulnerability is particularly dangerous because it operates within a core functionality of the application where users naturally provide input, making it difficult to distinguish between legitimate and malicious content without proper validation mechanisms.

The operational impact of this vulnerability extends beyond simple script execution as it can enable attackers to perform a wide range of malicious activities within the application environment. An attacker could craft malicious album titles that redirect users to phishing sites, steal authentication cookies, or even execute commands on behalf of authenticated users. The potential for information disclosure increases significantly as attackers can leverage the XSS payload to capture sensitive data from the web application's session or database. This vulnerability particularly affects users who have administrative privileges or access to sensitive album content, as the malicious script execution could lead to complete compromise of the application's user data and potentially the underlying server infrastructure.

Organizations using Lychee 3.1.6 should immediately implement mitigations including input validation and output encoding for all user-provided content, particularly in areas where album titles are processed. The recommended approach involves implementing proper sanitization routines that remove or escape potentially dangerous characters before rendering user input in web pages. Security patches should be applied as soon as they become available from the Lychee development team, and organizations should consider implementing Content Security Policy headers to prevent execution of unauthorized scripts. Additionally, regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other application components, as this type of flaw often indicates broader issues with input handling and security practices within the web application framework. The vulnerability demonstrates the importance of following secure coding practices and implementing defense-in-depth strategies to protect against persistent threats in modern web applications.

Reservation

02/12/2024

Disclosure

03/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00460

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!