Plattform
php
Komponente
86480890cc621c240c86e95a3de9ecc4
Behoben in
1.0.1
1.0.1
CVE-2024-7218 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester's School Log Management System. This flaw allows an attacker to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0 through 1.0, and a patch is available in version 1.0.1.
Successful exploitation of CVE-2024-7218 could allow an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to session hijacking, credential theft, or defacement of the administrative interface. Given the administrative nature of the affected endpoint, an attacker gaining control could potentially modify student records, add unauthorized users, or compromise the entire system. The published proof-of-concept significantly lowers the barrier to entry for exploitation.
A proof-of-concept (PoC) for CVE-2024-7218 has been publicly released, indicating a relatively low barrier to exploitation. The vulnerability was disclosed on 2024-07-30. The CVSS score is LOW (3.5), reflecting the potential for limited impact and the requirement for user interaction. It is not currently listed on CISA KEV.
Schools and educational institutions using SourceCodester's School Log Management System are at risk. Specifically, organizations relying on the default configuration and not implementing additional security measures are particularly vulnerable. Shared hosting environments where multiple users share the same server resources could also be affected if one user's account is compromised.
• php: Examine the /admin/ajax.php file for unsanitized input handling of the 'Name' parameter. Search for instances where user input is directly outputted to the page without proper encoding.
// Example of vulnerable code
<?php
echo $_GET['Name']; // Vulnerable to XSS
?>• generic web: Monitor access logs for requests to /admin/ajax.php?action=save_student containing suspicious characters or patterns commonly associated with XSS payloads (e.g., <script>, <img src=x onerror=alert(1)>).
• generic web: Use a web proxy or browser developer tools to inspect the application's response for unexpected JavaScript code execution.
disclosure
Exploit-Status
EPSS
0.09% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-7218 is to immediately upgrade to version 1.0.1 of the School Log Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Name' parameter within the /admin/ajax.php?action=save_student endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'Name' field and verifying that the script does not execute.
Aktualisieren Sie das School Log Management System auf eine gepatchte Version, die die XSS-Schwachstelle behebt. Falls keine Version verfügbar ist, überprüfen und filtern Sie die Eingaben des Feldes 'Name' in der Datei /admin/ajax.php?action=save_student, um die Injektion von bösartigem Code zu verhindern. Erwägen Sie die Implementierung von Datenvalidierung und -bereinigung auf Serverseite, um zukünftige XSS-Angriffe zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-7218 is a cross-site scripting (XSS) vulnerability in SourceCodester's School Log Management System allowing attackers to inject malicious scripts. It affects versions 1.0–1.0.
You are affected if you are using School Log Management System version 1.0 or 1.0. Check your installation and upgrade immediately.
Upgrade to version 1.0.1. If immediate upgrade is not possible, implement input validation and output encoding on the 'Name' field.
A public proof-of-concept exists, suggesting a high probability of exploitation. Monitor your systems closely.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-7218.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.