{"id":"CVE-2024-25976","details":"When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim's browser. This is due to a fault in the file login.php where the content of \"$_SERVER['PHP_SELF']\" is reflected into the HTML of the website. Hence the attacker does not need a valid account in order to exploit this issue.","modified":"2026-03-14T12:30:25.127003Z","published":"2024-05-29T13:15:49.563Z","references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/May/34"},{"type":"WEB","url":"https://r.sec-consult.com/hawki"},{"type":"FIX","url":"https://github.com/HAWK-Digital-Environments/HAWKI/commit/146967f3148e92d1640ffebc21d8914e2d7fb3f1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/hawk-digital-environments/hawki","events":[{"introduced":"0"},{"fixed":"146967f3148e92d1640ffebc21d8914e2d7fb3f1"}]},{"type":"GIT","repo":"https://github.com/hawk-digital-environments/hawki","events":[{"introduced":"0"},{"fixed":"146967f3148e92d1640ffebc21d8914e2d7fb3f1"}]}],"versions":["1.0.0-beta.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25976.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}