CVE-2024-56361

Name of the Vulnerable Software and Affected Versions LGSL versions prior to 7.0.0

Description A stored cross-site scripting (XSS) vulnerability was identified in LGSL. The issue arises from improper sanitation of user input. The function lgsl query 40 in lgsl protocol.php has implemented an HTTP crawler, which makes a request to the registered game server and renders javascript on the info page when crawling the malicious /info endpoint with a payload. This information is being displayed via lgsl details.php. Everyone who accesses this page will be affected by this attack.

Recommendations For versions prior to 7.0.0, update to version 7.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the lgsl query 40 function in lgsl protocol.php until a patch is available. Restrict access to the /info endpoint to minimize the risk of exploitation. Avoid using the EconomyDesc field in the JSON payload served at /info until the issue is resolved.