Plattform
java
Komponente
manager-system
Behoben in
1.0.1
CVE-2024-13143 is a cross-site scripting (XSS) vulnerability affecting ZeroWdd studentmanager versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. A fix is available in version 1.0.1, and the exploit has been publicly disclosed.
The XSS vulnerability in ZeroWdd studentmanager arises from improper handling of user-supplied input within the submitAddPermission function. An attacker can craft a malicious URL containing JavaScript code, which, when processed by the application, will be executed in the context of the user's browser. This can lead to the theft of session cookies, allowing the attacker to impersonate the user. Furthermore, the attacker could inject arbitrary HTML and JavaScript, potentially defacing the application or redirecting users to malicious websites. The impact is amplified if the application is used to manage sensitive student data, as an attacker could potentially access or modify this information.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date (2025-01-05).
Educational institutions and organizations utilizing ZeroWdd studentmanager for student data management are at risk. Specifically, deployments with older, unpatched versions (1.0–1.0) are vulnerable. Shared hosting environments where multiple applications share the same server resources could also be affected, as a compromise of one application could potentially lead to the exploitation of this vulnerability in others.
• java / server:
find /path/to/studentmanager/src/main/java/com/zero/system/controller/ -name "PermissionController.java"• generic web:
curl -s -X POST 'http://your-studentmanager-url/submitAddPermission?url=<script>alert(1)</script>' | grep -i alertdisclosure
Exploit-Status
EPSS
0.11% (30% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-13143 is to upgrade to version 1.0.1 of ZeroWdd studentmanager, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the url parameter in the PermissionController.java file. This can help prevent the injection of malicious scripts. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting the submitAddPermission endpoint. After upgrading, confirm the fix by attempting to submit a request with a known malicious URL payload and verifying that the script is not executed.
Actualizar a una versión parcheada de studentmanager que solucione la vulnerabilidad de Cross-Site Scripting (XSS). Contacte al proveedor para obtener la versión corregida o aplique las medidas de seguridad necesarias para evitar la manipulación de la entrada 'url' en la función 'submitAddPermission'.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-13143 is a cross-site scripting (XSS) vulnerability in ZeroWdd studentmanager versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'url' parameter.
You are affected if you are using ZeroWdd studentmanager version 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1 of ZeroWdd studentmanager. As a temporary workaround, implement input validation and output encoding on the 'url' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the ZeroWdd project's official website or repository for the latest security advisories and updates related to CVE-2024-13143.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.