CVE-2024-25175

MEDIUM

kickdler < 1.107.0 - Cross-Site Scripting via HTTP Response Splitting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-25175. PoCs published by jet-pentest.

AI-analyzed exploit summary This repository documents a reflected XSS vulnerability (CVE-2024-25175) in Kickidler Server via HTTP response splitting. The exploit leverages improper input validation in the `kickidler_authentication_token` parameter to inject malicious JavaScript.

Description

An issue in Kickdler before v1.107.0 allows attackers to provide an XSS payload via a HTTP response splitting attack.

Exploits (1)

nomisec WRITEUP

by jet-pentest · poc

https://github.com/jet-pentest/CVE-2024-25175

View Code ZIP pw:eip

This repository documents a reflected XSS vulnerability (CVE-2024-25175) in Kickidler Server via HTTP response splitting. The exploit leverages improper input validation in the `kickidler_authentication_token` parameter to inject malicious JavaScript.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Kickidler Server before version 1.107.0

No auth needed

Prerequisites: Victim must follow a crafted link

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/jet-pentest/CVE-2024-25175

Product

https://www.kickidler.com/

Scores

CVSS v3 6.1

EPSS 0.0045

EPSS Percentile 35.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

kickdler/kickdler < 1.107.0

Published Mar 25, 2024

Tracked Since Feb 18, 2026