CVE-2024-53617 is a Cross Site Scripting (XSS) vulnerability identified in LibrePhotos, an open-source photo management application. The flaw exists in versions prior to commit 32237 and arises due to an Insecure Direct Object Reference (IDOR) vulnerability in the file upload mechanism. Specifically, an attacker with administrative privileges can upload a crafted HTML file that contains malicious scripts. When this file is accessed or rendered by other users, the embedded scripts execute in their browsers, enabling the attacker to hijack sessions or perform actions on behalf of the victim user. The vulnerability requires the attacker to have high privileges (admin) and some user interaction, such as the victim accessing the malicious file. The CVSS 3.1 score is 4.8 (medium), reflecting the moderate impact on confidentiality and integrity but no impact on availability. The attack vector is network-based with low attack complexity but requires privileges and user interaction. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-639 (Authorization Bypass Through User-Controlled Key). No patches or exploits are currently publicly available, but the risk remains significant due to the potential for account takeover and unauthorized access to user data.

The primary impact of CVE-2024-53617 is the potential for attackers to hijack user accounts within LibrePhotos by exploiting the XSS vulnerability via malicious HTML file uploads. This can lead to unauthorized access to personal photo collections, exposure of sensitive metadata, and potential further lateral movement within an organization's infrastructure if LibrePhotos is integrated with other systems. The confidentiality and integrity of user data are at risk, as attackers can steal session tokens or perform actions on behalf of victims. Although availability is not directly affected, the breach of trust and data privacy can have reputational and compliance consequences for organizations. Since exploitation requires admin privileges, the threat is elevated in environments where admin accounts are not tightly controlled or where insider threats exist. Organizations using LibrePhotos for managing sensitive or private images are particularly vulnerable to privacy violations and data leakage.

To mitigate CVE-2024-53617, organizations should implement the following specific measures: 1) Immediately update LibrePhotos to the version including commit 32237 or later where the vulnerability is fixed. 2) Restrict file upload types strictly to safe image formats (e.g., JPEG, PNG) and disallow HTML or other executable content uploads. 3) Implement robust access controls and authorization checks on file upload endpoints to prevent IDOR exploitation, ensuring only authorized users can upload files and that uploaded files are properly scoped to the uploader’s permissions. 4) Sanitize and validate all uploaded content to neutralize any embedded scripts or malicious payloads. 5) Employ Content Security Policy (CSP) headers to limit the impact of any injected scripts. 6) Monitor logs for unusual file upload activities or admin account behaviors. 7) Educate administrators on the risks of uploading untrusted files and enforce the principle of least privilege for admin accounts. 8) Conduct regular security audits and penetration testing focused on file upload functionalities.