CVE ID: CVE-2024-30925  
A Cross-Site Scripting (XSS) vulnerability exists in DerbyNet version 9.0, specifically within the `photo-thumbs.php` component. This issue enables a remote attacker to execute arbitrary code through the improper handling of the `racerid` and `back` parameters. The vulnerability arises because the application dynamically generates URLs for navigation without adequately sanitizing these parameters, thus allowing the injection of malicious scripts.  
Vulnerability Type: Cross-Site Scripting (XSS)  
Vendor of Product: DerbyNet - Available on GitHub:  
Affected Product Code Base: DerbyNet - v9.0  
Affected Component: photo-thumbs.php  
Attack Type: Remote  
Impact: Code execution  
Attack Vectors:  
The XSS vulnerability can be exploited through manipulation of the `racerid` and `back` parameters in the URL. Examples of such manipulation include:  
These URLs demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.  
Discoverer: Valentin Lobstein  
- Official website:  
- Source code on GitHub: