Plattform
php
Komponente
vehicle-booking-system
Behoben in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CodeAstro Vehicle Booking System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability resides within the Feedback Page component, specifically the usr/user-give-feedback.php file. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-0346 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the Vehicle Booking System's web interface. An attacker could potentially redirect users to phishing sites, steal sensitive information entered into forms, or inject malicious content that appears to originate from the legitimate application. The blast radius is limited to users interacting with the feedback page, but the impact on individual users can be significant.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant prompt remediation. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public availability of the exploit increases the risk. The vulnerability was added to the VDB with identifier VDB-250114.
Organizations utilizing CodeAstro Vehicle Booking System version 1.0 are at risk. This includes businesses relying on the system for managing vehicle bookings and customer feedback. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one website could potentially impact others.
• php: Examine the usr/user-give-feedback.php file for inadequate input validation on the My Testemonial parameter. Search for instances where user-supplied data is directly outputted to the page without proper encoding.
• generic web: Monitor access logs for unusual requests to usr/user-give-feedback.php containing suspicious characters or patterns commonly associated with XSS payloads (e.g., <script>, <iframe>).
• generic web: Check response headers for the presence of Content Security Policy (CSP) directives. A properly configured CSP can mitigate the impact of XSS vulnerabilities.
disclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-0346 is to immediately upgrade the CodeAstro Vehicle Booking System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the My Testemonial parameter within the usr/user-give-feedback.php file. This can help prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the feedback form and verifying that the script is not executed.
Actualice el sistema Vehicle Booking System a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas del usuario en el archivo usr/user-give-feedback.php, especialmente el argumento 'My Testemonial', para evitar la inyección de código malicioso. Implemente validación y sanitización de datos en el lado del servidor para mitigar el riesgo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-0346 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Vehicle Booking System versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'My Testemonial' parameter.
Yes, if you are running CodeAstro Vehicle Booking System version 1.0–1.0, you are vulnerable to this XSS attack. Upgrade to 1.0.1 to mitigate.
The recommended fix is to upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'My Testemonial' parameter.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation. Prompt remediation is advised.
Refer to the CodeAstro website or relevant security advisories for the official advisory regarding CVE-2024-0346.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.