CVE-2024-56361: 
PHP vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was identified in LGSL (Live Game Server List) before version 7.0.0. The vulnerability exists in the function lgsl_query_40 within lgsl_protocol.php, which implements an HTTP crawler. When making requests to registered game servers, the crawler processes responses from the /info endpoint without proper sanitization, allowing malicious JavaScript to be rendered on the info page through lgsl_details.php (GitHub Advisory).

The vulnerability stems from improper sanitization of user input in the lgsl_query_40 function. When the function makes requests to registered game servers and processes responses from the /info endpoint, the received data is not properly sanitized before being displayed via lgsl_details.php. The CVSS v4.0 base score for this vulnerability is 5.3 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N (NVD).

When successfully exploited, this vulnerability allows attackers to inject and execute malicious JavaScript code that will affect all users who access the affected page. The stored nature of the XSS means that the malicious payload persists on the server and is served to any user viewing the compromised page (GitHub Advisory).

The vulnerability has been fixed in version 7.0.0 by implementing output encoding via htmlentities. The fix includes proper sanitization of user input using htmlentities() with ENT_QUOTES and UTF-8 encoding (GitHub Commit).