CVE-2024-29801 in Fullscreen Galleria Plugin
Summary
by MITRE • 03/27/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Petri Damstén Fullscreen Galleria allows Stored XSS.This issue affects Fullscreen Galleria: from n/a through 1.6.11.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/12/2025
The CVE-2024-29801 vulnerability represents a critical cross-site scripting flaw within the Petri Damstén Fullscreen Galleria plugin, specifically categorized under CWE-79 Improper Neutralization of Input During Web Page Generation. This vulnerability enables attackers to inject malicious scripts into web pages viewed by other users, creating a persistent threat that can compromise user sessions and exfiltrate sensitive data. The issue manifests as a stored XSS vulnerability, meaning that malicious payloads are permanently stored on the server and executed whenever affected pages are accessed, rather than requiring immediate user interaction with a crafted link. The vulnerability affects all versions of the Fullscreen Galleria plugin from the initial release through version 1.6.11, indicating a prolonged exposure window that could have allowed extensive exploitation. This type of vulnerability falls under the ATT&CK technique T1531 Credential Access through Web Application Firewall Evasion and can be leveraged for session hijacking, defacement of web content, and data theft from authenticated users.
The technical exploitation of this vulnerability occurs when the plugin fails to properly sanitize or escape user-supplied input during the generation of web pages, allowing malicious scripts to be embedded directly into the HTML output. Attackers can leverage this weakness by submitting crafted content through plugin interfaces or configuration parameters that are then stored and subsequently rendered without adequate security filtering. The stored nature of this XSS vulnerability means that once malicious input is accepted and processed by the plugin, it becomes part of the web application's permanent content, executing automatically whenever users access the affected pages. This persistent execution model makes the vulnerability particularly dangerous as it can affect multiple users over extended periods without requiring repeated user interaction, unlike reflected XSS attacks that depend on user clicks. The vulnerability's impact extends beyond simple script execution to potentially enable full compromise of user accounts and sensitive information disclosure.
The operational impact of CVE-2024-29801 is severe given that it affects a widely used gallery plugin that likely processes user-generated content through web forms or administrative interfaces. Attackers can exploit this vulnerability to execute arbitrary JavaScript code in the context of affected websites, potentially allowing them to steal cookies, session tokens, or other sensitive information from authenticated users. The stored nature of the vulnerability means that malicious actors can deploy persistent backdoors or data exfiltration mechanisms that continue to operate until the plugin is updated or the malicious content is manually removed. This vulnerability can be particularly damaging in environments where the plugin is used for content management or user-uploaded media galleries, as it provides a vector for attackers to compromise not only individual user sessions but potentially entire web applications. The vulnerability also aligns with ATT&CK technique T1213 Data from Information Repositories, as it can be used to access stored user data and content within the compromised system.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the Fullscreen Galleria plugin where the XSS vulnerability has been patched. The recommended approach involves thorough security testing of all user input handling mechanisms within the plugin and implementing proper input sanitization and output encoding techniques. Security measures should include implementing Content Security Policy headers to limit script execution, conducting regular security audits of web applications, and monitoring for suspicious user content or unauthorized changes to web application components. Additionally, administrators should consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts. The vulnerability demonstrates the critical importance of proper input validation and output encoding in preventing XSS attacks, aligning with industry best practices outlined in OWASP Top Ten and NIST cybersecurity guidelines for web application security. Organizations should also implement regular vulnerability scanning and penetration testing procedures to identify and remediate similar issues before they can be exploited by malicious actors.