CVE-2024-50705
Published: 04 March 2025
Summary
CVE-2024-50705 is a high-severity CSRF (CWE-352) vulnerability in Uniguest Tripleplay. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked in the top 30.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-50705 is an unauthenticated reflected cross-site scripting (XSS) vulnerability affecting Uniguest Tripleplay versions prior to 24.2.1. The flaw, tied to CWE-352 (Cross-Site Request Forgery, though primarily manifesting as XSS), allows remote attackers to execute arbitrary scripts in the context of a victim's browser via the "page" parameter. It received a CVSS v3.1 base score of 7.1 (AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability despite requiring adjacent network access and low privileges.
Exploitation requires an attacker on the same adjacent network (e.g., shared LAN or Wi-Fi) to craft malicious requests targeting the vulnerable parameter, tricking a user into interacting with a malicious link or page. Although described as unauthenticated, the CVSS vector notes low privileges (PR:L), suggesting some form of limited access might be involved. Successful exploitation enables arbitrary script execution in the victim's browser, potentially leading to session hijacking, data theft, or further compromise depending on the application's privileges and user context.
Uniguest has published mitigation guidance in their CVE bulletins and a dedicated vulnerability summary PDF. Security practitioners should upgrade to Tripleplay version 24.2.1 or later, as affected versions before this release remain vulnerable. Additional details on patches and workarounds are available at https://uniguest.com/cve-bulletins/ and https://uniguest.com/wp-content/uploads/2025/02/CVE-2024-50705-Vulnerability-Summary.pdf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54226
Vulnerability details
Unauthenticated reflected cross-site scripting (XSS) vulnerability in Uniguest Tripleplay before 24.2.1 allows remote attackers to execute arbitrary scripts via the page parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in browser (T1059.007) facilitating session hijacking (T1185) and stealing web session cookies (T1539) for data theft or further compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 directly prevents reflected XSS by requiring output filtering or encoding of the untrusted 'page' parameter before rendering in the browser.
SI-10 comprehensively mitigates the vulnerability by validating and sanitizing the 'page' parameter input to reject malicious scripts.
SI-2 addresses the CVE by requiring timely flaw remediation through upgrading to Uniguest Tripleplay version 24.2.1 or later.