Plattform
php
Komponente
vehicle-management-system
Behoben in
1.0.1
CVE-2024-12783 describes a problematic cross-site scripting (XSS) vulnerability discovered in the isourcecode Vehicle Management System. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability impacts versions 1.0 of the system and is addressed in version 1.0.1.
An attacker can exploit this XSS vulnerability by manipulating the 'extra-cost' argument within the /billaction.php file. Successful exploitation allows the attacker to inject arbitrary JavaScript code into the application, which will then be executed in the context of the victim's browser. This could lead to session hijacking, defacement of the application, or redirection to malicious websites. The remote nature of the vulnerability means an attacker doesn't need local access to the system to exploit it. The impact is amplified if the Vehicle Management System handles sensitive user data or financial transactions, as an attacker could potentially steal credentials or manipulate financial records.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of the vulnerability details increases the likelihood of future attacks. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing the isourcecode Vehicle Management System version 1.0, particularly those with publicly accessible instances or those handling sensitive financial or personal data, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially impact others.
• php / web:
curl -I 'http://your-vehicle-management-system/billaction.php?extra-cost=<script>alert("XSS")</script>' | grep HTTP/1.1• generic web:
grep -i 'extra-cost' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.24% (48% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12783 is to upgrade the isourcecode Vehicle Management System to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'extra-cost' parameter within the /billaction.php file to prevent malicious input. Web application firewalls (WAFs) can also be configured to filter out potentially malicious requests containing XSS payloads. Thoroughly test any configuration changes in a non-production environment before deploying them to production.
Actualice a una versión parcheada del sistema de gestión de vehículos. Si no hay una versión disponible, revise y filtre las entradas del parámetro 'extra-cost' en el archivo /billaction.php para evitar la ejecución de código JavaScript malicioso. Implemente validación y saneamiento de entradas para prevenir futuros ataques XSS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12783 is a cross-site scripting (XSS) vulnerability affecting versions 1.0 of the isourcecode Vehicle Management System, allowing attackers to inject malicious scripts via the /billaction.php file.
You are affected if you are using isourcecode Vehicle Management System version 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the 'extra-cost' parameter.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed and may be targeted by attackers.
Refer to the isourcecode website or relevant security forums for the official advisory regarding CVE-2024-12783.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.