CVE-2024-7124

MEDIUM

DInGO dLibra 6.0-6.3.19 - Reflected Cross-Site Scripting via Indexsearch Filter Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-7124. PoCs published by kac89.

AI-analyzed exploit summary This repository provides a proof-of-concept for a reflected XSS vulnerability in DInGO dLibra software versions 6.0 to 6.3.20. The exploit leverages the 'filter' parameter in the 'indexsearch' endpoint to inject malicious scripts.

Description

Improper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software in the parameter 'filter' in the endpoint 'indexsearch' allows a Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. This issue affects DInGO dLibra software in versions from 6.0 before 6.3.20.

Exploits (1)

nomisec WORKING POC
by kac89 · poc
https://github.com/kac89/CVE-2024-7124

This repository provides a proof-of-concept for a reflected XSS vulnerability in DInGO dLibra software versions 6.0 to 6.3.20. The exploit leverages the 'filter' parameter in the 'indexsearch' endpoint to inject malicious scripts.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: DInGO dLibra 6.0 to 6.3.20
No auth needed
Prerequisites: A crafted URL with the malicious payload in the 'filter' parameter
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Various Sources third-party-advisory
https://cert.pl/en/posts/2024/11/CVE-2024-7124/
Various Sources third-party-advisory
https://cert.pl/posts/2024/11/CVE-2024-7124/
Various Sources product
https://dingo.psnc.pl/dlibra/

Scores

CVSS v4 5.3
EPSS 0.0105
EPSS Percentile 59.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:Green

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Poznan Supercomputing and Networking Center/DInGO dLIbra 6.0 - 6.3.20
Published Nov 14, 2024
Tracked Since Feb 18, 2026