Platform
go
Component
github.com/j3ssie/osmedeus
Fixed in
4.6.5
4.6.5
CVE-2024-51735 describes a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the Osmedeus Web Server, a Go-based web server project hosted on GitHub. This vulnerability can be exploited to inject malicious scripts into the server, potentially leading to Remote Code Execution (RCE). The vulnerability affects versions of Osmedeus prior to 4.6.5, and a patch has been released to address the issue.
The XSS vulnerability in Osmedeus allows an attacker to inject arbitrary JavaScript code into web pages viewed by other users. Because the vulnerability is 'stored,' the malicious script persists on the server, meaning that any user visiting the affected page will be vulnerable. Successful exploitation could lead to account takeover, data theft, or even complete control of the server if the attacker can leverage the injected script to execute commands. The potential for RCE elevates the risk significantly, as an attacker could gain full control over the underlying system, potentially compromising sensitive data and disrupting services.
CVE-2024-51735 was publicly disclosed on November 6, 2024. As of this writing, there is no indication of active exploitation in the wild, and no public proof-of-concept (POC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. Given the CRITICAL CVSS score and the potential for RCE, it is crucial to prioritize patching.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
The primary mitigation for CVE-2024-51735 is to immediately upgrade to version 4.6.5 or later of the Osmedeus Web Server. If upgrading is not immediately feasible, consider implementing input validation and output encoding on all user-supplied data to prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review server logs for suspicious activity, particularly any unusual JavaScript execution patterns.
Update to a patched version or apply custom input sanitization on report templates to prevent XSS code execution. Contact the developer for an official patch. As a temporary measure, avoid using the summary module or carefully review generated reports.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-51735 is a critical Stored XSS vulnerability in the Osmedeus Web Server (github.com/j3ssie/osmedeus) allowing attackers to inject malicious scripts.
You are affected if you are using Osmedeus Web Server versions prior to 4.6.5. Check your version and upgrade immediately.
Upgrade to version 4.6.5 or later of the Osmedeus Web Server. Implement input validation and output encoding as an interim measure.
As of now, there is no confirmed active exploitation or public proof-of-concept code available.
Refer to the project's GitHub repository (github.com/j3ssie/osmedeus) for updates and advisories related to this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.