Cyber Resilience

CVE-2024-50705

High

Published: 04 March 2025

Published
04 March 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0060 69.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50705 is a high-severity CSRF (CWE-352) vulnerability in Uniguest Tripleplay. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 30.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2024-50705 is an unauthenticated reflected cross-site scripting (XSS) vulnerability affecting Uniguest Tripleplay versions prior to 24.2.1. The flaw, tied to CWE-352 (Cross-Site Request Forgery, though primarily manifesting as XSS), allows remote attackers to execute arbitrary scripts in the context of a victim's browser via the "page" parameter. It received a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability despite requiring adjacent network access and low privileges.

Exploitation requires an attacker on the same adjacent network (e.g., shared LAN or Wi-Fi) to craft malicious requests targeting the vulnerable parameter, tricking a user into interacting with a malicious link or page. Although described as unauthenticated, the CVSS vector notes low privileges (PR:L), suggesting some form of limited access might be involved. Successful exploitation enables arbitrary script execution in the victim's browser, potentially leading to session hijacking, data theft, or further compromise depending on the application's privileges and user context.

Uniguest has published mitigation guidance in their CVE bulletins and a dedicated vulnerability summary PDF. Security practitioners should upgrade to Tripleplay version 24.2.1 or later, as affected versions before this release remain vulnerable. Additional details on patches and workarounds are available at https://uniguest.com/cve-bulletins/ and https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50705-Vulnerability-Summary.pdf.

EU & UK References

Vulnerability details

Unauthenticated reflected cross-site scripting (XSS) vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary scripts via the page parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Reflected XSS enables arbitrary JavaScript execution in browser (T1059.007) facilitating session hijacking (T1185) and stealing web session cookies (T1539) for data theft or further compromise.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-50704Same product: Uniguest Tripleplay
CVE-2024-50706Same product: Uniguest Tripleplay
CVE-2024-50707Same product: Uniguest Tripleplay
CVE-2025-26578Shared CWE-352
CVE-2025-30584Shared CWE-352
CVE-2025-23654Shared CWE-352
CVE-2025-25135Shared CWE-352
CVE-2025-23818Shared CWE-352
CVE-2025-22768Shared CWE-352
CVE-2025-28931Shared CWE-352

Affected Assets

uniguest
tripleplay
24.2 · ≤ 24.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 directly prevents reflected XSS by requiring output filtering or encoding of the untrusted 'page' parameter before rendering in the browser.

prevent

SI-10 comprehensively mitigates the vulnerability by validating and sanitizing the 'page' parameter input to reject malicious scripts.

prevent

SI-2 addresses the CVE by requiring timely flaw remediation through upgrading to Uniguest Tripleplay version 24.2.1 or later.

References