CVE-2024-29832
published 2024-03-26CVE-2024-29832: The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.45%
35.6th percentile
The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue.
Note that other parameters within a AJAX call, such as image_id, must be valid for this vulnerability to be successfully exploited.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 10web | photo_gallery | < 1.8.22 | 1.8.22 |
| 10web | photogallery | 1.0.1 – 1.8.21 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-03-26
Published