Plattform
php
Komponente
pocs
Behoben in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Road Accident Map Marker versions 1.0. This flaw resides within the /endpoint/add-mark.php file and allows attackers to inject malicious scripts through manipulation of the mark_name/details argument. Successful exploitation could lead to session hijacking or defacement. The vulnerability has been publicly disclosed and a patch is available in version 1.0.1.
The XSS vulnerability in Road Accident Map Marker allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application is used to collect sensitive user data, as the attacker could potentially intercept this data. Given the public disclosure, the risk of exploitation is elevated.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known active campaigns targeting this specific vulnerability have been reported. The CVE has been assigned and is available on the NVD. While the CVSS score is LOW, the ease of exploitation and potential impact warrant prompt remediation.
Organizations utilizing Road Accident Map Marker version 1.0, particularly those hosting the application on shared hosting environments or with limited security controls, are at increased risk. Applications integrated with Road Accident Map Marker that rely on user-supplied data for mapping functionality are also vulnerable.
• php / web:
grep -r "mark_name/details" /var/www/html/• php / web:
curl -s -X POST -d "mark_name/details=<script>alert('XSS')</script>" http://your-road-accident-map-marker-instance/endpoint/add-mark.php | grep "alert('XSS')"disclosure
Exploit-Status
EPSS
0.16% (37% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-13021 is to upgrade to version 1.0.1 of Road Accident Map Marker, which includes the necessary fix. If upgrading is not immediately possible, consider implementing input validation and sanitization on the markname/details parameter within the /endpoint/add-mark.php file. Additionally, a Web Application Firewall (WAF) can be configured to block requests containing suspicious JavaScript code in the markname/details parameter. Regularly review and update your WAF rules to ensure they are effective against emerging threats. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the mark_name/details parameter and verifying that it is not executed.
Aktualisieren Sie auf eine gepatchte Version oder deaktivieren Sie die Komponente. Validieren und escapen Sie Benutzereingaben in `/endpoint/add-mark.php`, um die Injektion von XSS-Code zu verhindern. Überprüfen Sie den Quellcode, um andere anfällige Parameter zu identifizieren und wenden Sie die erforderlichen Mitigationen an.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-13021 is a cross-site scripting (XSS) vulnerability in Road Accident Map Marker versions 1.0, affecting the /endpoint/add-mark.php file. Attackers can inject malicious scripts through parameter manipulation.
You are affected if you are running Road Accident Map Marker version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the mark_name/details parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2024-13021.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.