CVE-2024-56517

Name of the Vulnerable Software and Affected Versions LGSL (Live Game Server List) versions up to and including 6.2.1

Description The issue is related to a reflected cross-site scripting vulnerability in the Referer HTTP header. This vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the Referer header, it is echoed back into an HTML attribute in the application’s response. The vulnerability is present in the /lgsl files/lgsl list.php endpoint, specifically in the lines where the $uri variable is set based on the HTTP REFERER header.

Recommendations For LGSL (Live Game Server List) versions up to and including 6.2.1, update to a version that includes the patch commit 7ecb839df9358d21f64cdbff5b2536af25a77de1 to resolve the issue. As a temporary workaround, consider restricting access to the /lgsl files/lgsl list.php endpoint to minimize the risk of exploitation. Avoid using the Referer header with untrusted input until the issue is resolved.