Plattform
php
Komponente
simple-admin-panel
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Simple Admin Panel versions 1.0. This issue stems from improper handling of user-supplied input within the updateItemController.php file, specifically the pname and pdesc parameters. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability is fixed in version 1.0.1.
The XSS vulnerability in Simple Admin Panel allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially leading to a variety of malicious actions. An attacker could steal session cookies, redirect users to phishing sites, deface the website, or even execute arbitrary code on the server if the application has sufficient privileges. The impact is amplified if the application is used to manage sensitive data or if it has access to critical system resources. While the CVSS score is LOW, the potential for user compromise and data theft remains a significant concern.
CVE-2024-12933 was publicly disclosed on December 26, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The LOW CVSS score suggests a relatively low probability of exploitation, but diligent patching is still recommended.
Organizations using Simple Admin Panel version 1.0 are at risk. This includes those deploying the panel on shared hosting environments, as vulnerabilities in the panel could potentially impact other websites hosted on the same server. Users who rely on Simple Admin Panel to manage sensitive data or critical system configurations are particularly vulnerable.
• php / web:
curl -s -X POST 'http://your-simple-admin-panel/updateItemController.php?p_name=<script>alert("XSS")</script>&p_desc=test' | grep 'alert("XSS")'• generic web:
curl -s 'http://your-simple-admin-panel/updateItemController.php?p_name=<script>alert("XSS")</script>&p_desc=test' | grep 'alert("XSS")'disclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12933 is to upgrade Simple Admin Panel to version 1.0.1 or later, which includes a fix for the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the pname and pdesc parameters within the updateItemController.php file. Additionally, a Web Application Firewall (WAF) can be configured to filter out malicious JavaScript code in incoming requests. Regularly review and update your WAF rules to ensure they are effective against new attack vectors. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the affected parameters and verifying that it is not executed.
Actualizar a una versión parcheada del Simple Admin Panel. Si no hay una versión disponible, sanitizar las entradas de usuario en `updateItemController.php` para los parámetros `p_name` y `p_desc` para evitar la inyección de código XSS. Utilizar funciones de escape específicas del lenguaje PHP para asegurar que los datos mostrados en la página web sean seguros.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12933 is a cross-site scripting (XSS) vulnerability affecting Simple Admin Panel versions 1.0, allowing attackers to inject malicious scripts.
You are affected if you are using Simple Admin Panel version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade Simple Admin Panel to version 1.0.1 or later. Input validation and WAF rules can be temporary workarounds.
There is currently no evidence of active exploitation campaigns targeting CVE-2024-12933.
Check the Simple Admin Panel project's website or GitHub repository for the official advisory related to CVE-2024-12933.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.