Home > Vulnerability Database > CVE-2024-32890

Mend.io Vulnerability Database

CVE-2024-32890

Date: May 1, 2024

librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The "processedString" field in the "ispinfo" parameter is missing neutralization. It is stored when a user submits a speedtest result to the telemetry API ("results/telemetry.php") and returned in the JSON API ("results/json.php"). This vulnerability has been introduced in commit 3937b94. This vulnerability affects LibreSpeed speedtest instances running version 5.2.5 or higher which have telemetry enabled and has been addressed in version 5.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: PHP

Severity Score

6.1

Related Resources (5)

Url: https://github.com/librespeed/speedtest/security/advisories/GHSA-3954-xrwh-fq4q

Url: https://github.com/librespeed/speedtest/commit/dd1ce2cb8830d94dcaa0b8e70b9406144a0e5f8d

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-32890

Url: https://github.com/librespeed/speedtest/commit/3937b940e80b734acae36cd41a2a31819593e728

Url: https://www.mend.io/vulnerability-database/CVE-2024-32890

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-32890

Date: May 1, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?