CVE ID: CVE-2024-30924  
A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically within the `checkin.php` component. This vulnerability allows remote attackers to execute arbitrary code due to improper handling of the `order` URL parameter. The flaw lies in the way the `order` parameter is embedded directly into a JavaScript variable assignment without adequate sanitization or encoding, making it possible to inject scripts.  
Vulnerability Type: Cross Site Scripting (XSS)  
Vendor of Product: DerbyNet - Available on GitHub:  
Affected Product Code Base: DerbyNet - v9.0  
Affected Component: checkin.php  
Attack Type: Remote  
Impact: Code execution is possible as a result of this vulnerability.  
Attack Vectors:  
The XSS vulnerability can be exploited by manipulating the `order` parameter in the URL. For example:  
- `</script><script>alert(1)</script>`  
- `';alert(1);//`  
These attack vectors demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.  
Discoverer: Valentin Lobstein  
- Official website:  
- Source code on GitHub: