Linkace
CVE-2024-56507
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a reflected cross-site scripting (XSS) vulnerability exists in the LinkAce. This issue occurs in the "URL" field of the "Edit Link" module, where user input is not properly sanitized or encoded before being reflected in the HTML response. This allows attackers to inject and execute arbitrary JavaScript in the context of the victim’s browser, leading to potential session hijacking, data theft, and unauthorized actions. This vulnerability is fixed in 1.15.6.
AnalysisAI
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. LinkAce is a self-hosted archive to collect links of your favorite websites. Prior to 1.15.6, a reflected cross-site scripting (XSS) vulnerability exists in the LinkAce. This issue occurs in the "URL" field of the "Edit Link" module, where user input is not properly sanitized or encoded before being reflected in the HTML response. This allows attackers to inject and execute arbitrary JavaScript in the context of the victim’s browser, leading to potential session hijacking, data theft, and unauthorized actions. This vulnerability is fixed in 1.15.6. Affected products include: Linkace. Version information: Prior to 1.15.6.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 8.4), this vulnerability is remotel
LinkAce is a self-hosted archive to collect links of your favorite websites. Rated high severity (CVSS 7.6), this vulner
LinkAce is a self-hosted archive to collect website links. Rated high severity (CVSS 7.3), this vulnerability is remotel
Stored XSS in LinkAce 2.4.2 and below allows authenticated users to inject malicious JavaScript through improperly sanit
Stored cross-site scripting in LinkAce prior to 2.5.6 allows a low-privilege OAuth-authenticated user to plant a persist
Server-Side Request Forgery (SSRF) in LinkAce self-hosted link archival application allows authenticated users to bypass
Remote code execution in LinkAce self-hosted link archive versions prior to 2.5.6 allows unauthenticated remote attacker
Server-side request forgery in LinkAce allows authenticated users to make arbitrary HTTP requests to internal network ad
Cross-tenant resource tampering in LinkAce before 2.5.6 lets any authenticated user modify links, lists, tags, and notes
LinkAce versions before 2.5.3 disclose private notes to authenticated users via the web interface when viewing shared li
Server-side request forgery (SSRF) in LinkAce prior to version 2.5.4 allows authenticated users to read responses from i
LinkAce versions 2.1.0 and earlier allow authenticated users to inappropriately associate other users' private taxonomie
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today