CVE-2024-5737

MEDIUM

AdmirorFrames < 5.0 - Cross-Site Scripting via afGdStream.php Image Data

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-5737. PoCs published by afine-com.

AI-analyzed exploit summary The repository describes an HTML injection vulnerability in AdmirorFrames Joomla! Extension < 5.0, where the `afGdStream.php` file fails to set the `Content-Type` header, causing image data to be interpreted as HTML. The PoC demonstrates generating a PNG with HTML tags embedded in its dimensions.

Description

Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before 5.0.

Exploits (1)

nomisec WRITEUP

by afine-com · poc

https://github.com/afine-com/CVE-2024-5737

View Code ZIP pw:eip

The repository describes an HTML injection vulnerability in AdmirorFrames Joomla! Extension < 5.0, where the `afGdStream.php` file fails to set the `Content-Type` header, causing image data to be interpreted as HTML. The PoC demonstrates generating a PNG with HTML tags embedded in its dimensions.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: AdmirorFrames Joomla! Extension < 5.0

No auth needed

Prerequisites: Access to the vulnerable Joomla! extension · Ability to upload or manipulate image files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory third-party-advisory

https://cert.pl/en/posts/2024/06/CVE-2024-5735/

Third Party Advisory third-party-advisory

https://cert.pl/posts/2024/06/CVE-2024-5735/

Issue Tracking issue-tracking

https://github.com/vasiljevski/admirorframes/issues/3

Exploit, Third Party Advisory technical-description

https://github.com/sectroyer/CVEs/tree/main/CVE-2024-5737

View Exploit ZIP pw:eip

Exploit, Third Party Advisory technical-description

https://github.com/afine-com/CVE-2024-5737

Scores

CVSS v3 6.1

EPSS 0.0108

EPSS Percentile 60.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

admiror-design-studio/admirorframes < 5.0

Published Jun 28, 2024

Tracked Since Feb 18, 2026