CVE-2024-25807 identifies a Cross Site Scripting (XSS) vulnerability in Lychee version 3.1.6, an open-source photo management application. The vulnerability arises from improper sanitization of the 'title' parameter during album creation, allowing remote attackers to inject malicious scripts. When exploited, these scripts can execute arbitrary code in the context of the victim's browser, potentially leading to theft of sensitive information such as session cookies or credentials, and manipulation of the web interface. The vulnerability is classified under CWE-79, indicating a classic reflected or stored XSS issue. According to the CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), the attack can be performed remotely over the network without privileges but requires user interaction, such as clicking a crafted link or submitting a malicious form. The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component, increasing its impact. The CVSS score of 6.1 reflects a medium severity level, primarily due to the need for user interaction and the limited impact on availability. No patches or known exploits are currently reported, but the vulnerability's presence in a widely used open-source tool necessitates prompt attention.

The exploitation of this XSS vulnerability can lead to unauthorized execution of scripts in users' browsers, compromising confidentiality and integrity by exposing sensitive data like session tokens or personal information. Attackers could leverage this to hijack user sessions, perform actions on behalf of users, or spread malware. While availability is not directly impacted, the trustworthiness of the affected application is undermined, potentially leading to reputational damage. Organizations relying on Lychee 3.1.6 for photo management, especially those with public or semi-public deployments, face increased risk of targeted attacks or widespread exploitation if the vulnerability is weaponized. The medium severity indicates a moderate but non-trivial risk, particularly in environments with high user interaction or where sensitive data is managed. The lack of authentication requirement broadens the attack surface, making it accessible to unauthenticated remote attackers. The scope change implies that the vulnerability could affect other components or users beyond the initial target, increasing potential damage.

To mitigate CVE-2024-25807, organizations should first verify if they are running Lychee version 3.1.6 and plan to upgrade to a patched version once available. In the absence of an official patch, implement strict input validation and sanitization on the 'title' parameter to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit user privileges and restrict album creation capabilities to trusted users only. Educate users to avoid clicking on suspicious links or submitting untrusted content. Monitor web application logs for unusual input patterns or attempted XSS payloads. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS attack signatures specific to Lychee. Regularly review and update security configurations and maintain awareness of updates from the Lychee project. Finally, conduct security testing and code reviews focusing on input handling to prevent similar vulnerabilities.