Plattform
php
Behoben in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Eyewear Shop versions 1.0. This flaw resides within the Inventory Page's /oews/classes/Master.php?f=save_product functionality, specifically when manipulating the 'brand' parameter. Successful exploitation could lead to malicious script execution within a user's browser, potentially compromising sensitive data. The vulnerability is fixed in version 1.0.1.
The XSS vulnerability in Online Eyewear Shop allows an attacker to inject malicious JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the website. The impact is amplified if the application handles sensitive user data, such as payment information or personal details, as the attacker could potentially intercept this data. The remote nature of the vulnerability means an attacker doesn't need to be authenticated to exploit it, significantly broadening the potential attack surface. Similar XSS vulnerabilities in other e-commerce platforms have been used to deploy malware and steal user credentials.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. There is currently no indication of active exploitation campaigns targeting Online Eyewear Shop. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's public disclosure and relatively simple nature.
Small to medium-sized businesses utilizing Online Eyewear Shop for their online retail operations are particularly at risk. Shared hosting environments where multiple websites share the same server infrastructure are also vulnerable, as a compromise of one website could potentially lead to the compromise of others. Users relying on legacy configurations or outdated security practices are also more susceptible.
• php / web:
curl -s -X POST -d "brand=<script>alert('XSS')</script>" http://<target>/oews/classes/Master.php?f=save_product | grep "<script>alert('XSS')</script>"• generic web:
curl -I http://<target>/oews/classes/Master.php?f=save_product&brand=<script>alert('XSS')</script>• generic web: Examine access logs for requests to /oews/classes/Master.php?f=save_product containing suspicious characters or JavaScript code in the 'brand' parameter.
• generic web: Check response headers for signs of XSS, such as Content-Security-Policy (CSP) headers that are not properly configured.
disclosure
patch
Exploit-Status
EPSS
0.20% (42% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-11247 is to immediately upgrade to version 1.0.1 of Online Eyewear Shop. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /oews/classes/Master.php?f=save_product endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to filter out malicious requests containing suspicious JavaScript code. Review and strengthen the application's overall security posture, including regular security audits and penetration testing. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the 'brand' parameter and confirming that it is properly sanitized.
Actualizar a una versión parcheada del software. Si no hay una versión disponible, sanitizar las entradas del usuario, especialmente el parámetro 'brand', para evitar la ejecución de código JavaScript malicioso. Implementar validación y codificación de salida para prevenir ataques XSS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-11247 is a cross-site scripting (XSS) vulnerability affecting Online Eyewear Shop versions 1.0, allowing attackers to inject malicious scripts via the 'brand' parameter in the /oews/classes/Master.php endpoint.
You are affected if you are running Online Eyewear Shop version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the affected endpoint.
While there is no confirmed active exploitation, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-11247.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.