CVE-2024-8413

Name of the Vulnerable Software and Affected Versions: Raspcontrol version 1.0

Description: A Cross Site Scripting (XSS) issue exists through the action parameter in index.php. This allows an attacker to send a specially crafted JavaScript payload to an authenticated user, potentially hijacking their session details. The affected product codebase is located at https://github.com/Bioshox/Raspcontrol and includes forks such as https://github.com/harmon25/raspcontrol.

Recommendations: For Raspcontrol version 1.0, patch immediately and validate user input to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the index.php file or disabling the action parameter until a patch is available. Additionally, avoid using the action parameter in the affected API endpoint until the issue is resolved.