GrepRules
Sign inPublish rule
Explore/cve-2024-47617-controller-mediastreamcontroller-php-cwe-79-cve-2024-47617

CVE-2024-47617: Controller Mediastreamcontroller Php Cwe 79 Cve 2024 47617

The `downloadAction` method does not accept or validate a `$slug` parameter representing the requested filename. This allows attackers to manipulate the URL's file extension (e.g., adding `.html`), leading to Cross-Site Scripting (XSS) via MIME-sniffing.

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0PHPβ
greprules fetch cve-2024-47617-controller-mediastreamcontroller-php-cwe-79-cve-2024-47617 --engine opengrep

Description

The `downloadAction` method does not accept or validate a `$slug` parameter representing the requested filename. This allows attackers to manipulate the URL's file extension (e.g., adding `.html`), leading to Cross-Site Scripting (XSS) via MIME-sniffing.

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 61How quality works
Included packs
2 packs