CVE-2024-51875 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the MDC YouTube Downloader software developed by Nazmul Ahsan. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages within the application, allowing malicious scripts to be injected and executed in the context of the victim's browser. This type of XSS is client-side, meaning the malicious payload is executed when the victim interacts with the affected web interface, potentially leading to session hijacking, credential theft, or unauthorized actions. The affected versions include all releases up to and including 3.0.0. No patches or fixes have been linked yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability does not require authentication but does require user interaction to trigger the attack, such as clicking a crafted link or loading a manipulated page. MDC YouTube Downloader is a tool used to download YouTube videos, and while it may not be enterprise software, it is used by individuals and possibly organizations for media handling. The lack of a CVSS score necessitates an expert severity assessment based on impact and exploitability factors.

The primary impact of this DOM-based XSS vulnerability is on the confidentiality and integrity of user data within the MDC YouTube Downloader application. Successful exploitation can allow attackers to execute arbitrary JavaScript in the context of the victim’s browser, leading to session hijacking, theft of cookies or credentials, and potentially the execution of unauthorized actions on behalf of the user. While the downloader itself may not hold sensitive enterprise data, users’ browser sessions and any integrated services could be compromised. This can lead to broader security issues if attackers leverage the foothold to pivot into other systems or steal sensitive information. The vulnerability’s requirement for user interaction limits automated exploitation but does not eliminate risk, especially in phishing scenarios. Organizations relying on this tool for media processing or distribution may face reputational damage and operational disruption if users are compromised. The absence of known exploits suggests a window for proactive mitigation before widespread abuse occurs.

1. Immediately restrict or monitor the use of MDC YouTube Downloader within organizational environments until a patch is available. 2. Implement strict input validation and output encoding on all user-supplied data within the application to prevent script injection. 3. Educate users about the risks of clicking on untrusted links or loading unverified content within the downloader interface. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers interacting with the application. 5. Monitor network traffic and application logs for unusual activity indicative of attempted XSS exploitation. 6. Once a vendor patch or update is released, prioritize timely application of the fix to eliminate the vulnerability. 7. Consider sandboxing or isolating the downloader environment to reduce the impact of potential exploitation. 8. Use browser security features such as disabling JavaScript execution where feasible or using script-blocking extensions during use of the downloader.