CVE-2024-53617

MEDIUM

LibrePhotos - Cross-Site Scripting and Authorization Bypass via File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-53617. PoCs published by ii5mai1.

AI-analyzed exploit summary This PoC demonstrates a stored XSS vulnerability in LibrePhotos before version 2024w47 by exploiting an IDOR in file upload to upload an HTML file on behalf of the admin user. The exploit uses authenticated API calls to upload and complete the file upload process, then generates a link to trigger the XSS.

Description

A Cross Site Scripting vulnerability in LibrePhotos before commit 32237 allows attackers to takeover any account via uploading an HTML file on behalf of the admin user using IDOR in file upload.

Exploits (1)

nomisec WORKING POC
by ii5mai1 · poc
https://github.com/ii5mai1/CVE-2024-53617

This PoC demonstrates a stored XSS vulnerability in LibrePhotos before version 2024w47 by exploiting an IDOR in file upload to upload an HTML file on behalf of the admin user. The exploit uses authenticated API calls to upload and complete the file upload process, then generates a link to trigger the XSS.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: LibrePhotos before version 2024w47
Auth required
Prerequisites: Valid attacker credentials · Target LibrePhotos instance · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 4.8
EPSS 0.0052
EPSS Percentile 40.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-639 CWE-79
Status published
Published Dec 02, 2024
Tracked Since Feb 18, 2026