CVE-2024-32890

Name of the Vulnerable Software and Affected Versions librespeed/speedtest versions 5.2.5 through 5.3.0

Description The issue arises from missing neutralization of the ISP information in a speedtest result, leading to stored Cross-site scripting in the JSON API. The processedString field in the ispinfo parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API (results/telemetry.php) and returned in the JSON API (results/json.php). This vulnerability was introduced in commit 3937b94 and affects LibreSpeed speedtest instances with telemetry enabled.

Recommendations For versions 5.2.5 through 5.3.0, upgrade to version 5.3.1 to address the issue. As a temporary workaround, consider disabling the telemetry API (results/telemetry.php) and the JSON API (results/json.php) until the upgrade is possible. Restrict access to the ispinfo parameter to minimize the risk of exploitation. Avoid using the processedString field in the ispinfo parameter until the issue is resolved.