CVE-2024-56517: 
PHP vulnerability analysis and mitigation

LGSL (Live Game Server List), a tool that provides online status lists for online video games, contains a reflected cross-site scripting vulnerability in versions up to and including 6.2.1. The vulnerability was discovered in the Referer HTTP header handling and was disclosed on December 30, 2024 (GitHub Advisory).

The vulnerability exists in the /lgsl_files/lgsl_list.php file where the application processes the HTTP Referer header without proper sanitization. Specifically, between lines 20-24, the code assigns the unsanitized $_SERVER['HTTP_REFERER'] value to the $uri variable when the preloader configuration is enabled. When malicious input is provided in the Referer header, it is reflected back into an HTML attribute in the application's response, allowing for arbitrary JavaScript code execution (GitHub Code). The vulnerability has been assigned a CVSS v4.0 score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability allows attackers to inject and execute arbitrary JavaScript code in the context of users' browsers who visit the affected pages. This could lead to session hijacking, credential theft, or other client-side attacks depending on the specific exploitation scenario (GitHub Advisory).

A patch has been implemented in commit 7ecb839df9358d21f64cdbff5b2536af25a77de1, which adds proper sanitization using htmlspecialchars() with ENT_QUOTES and UTF-8 encoding for the Referer header value (GitHub Commit).