CVE-2024-50705

CVE-2024-50705 is an unauthenticated reflected cross-site scripting (XSS) vulnerability affecting Uniguest Tripleplay versions prior to 24.2.1. The flaw, tied to CWE-352 (Cross-Site Request Forgery, though primarily manifesting as XSS), allows remote attackers to execute arbitrary scripts in the context of a victim's browser via the "page" parameter. It received a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability despite requiring adjacent network access and low privileges.

Exploitation requires an attacker on the same adjacent network (e.g., shared LAN or Wi-Fi) to craft malicious requests targeting the vulnerable parameter, tricking a user into interacting with a malicious link or page. Although described as unauthenticated, the CVSS vector notes low privileges (PR:L), suggesting some form of limited access might be involved. Successful exploitation enables arbitrary script execution in the victim's browser, potentially leading to session hijacking, data theft, or further compromise depending on the application's privileges and user context.

Uniguest has published mitigation guidance in their CVE bulletins and a dedicated vulnerability summary PDF. Security practitioners should upgrade to Tripleplay version 24.2.1 or later, as affected versions before this release remain vulnerable. Additional details on patches and workarounds are available at https://uniguest.com/cve-bulletins/ and https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50705-Vulnerability-Summary.pdf.