Scan free
LOWCVE-2024-12536CVSS 3.5

CVE-2024-12536: XSS in Kortex Lite Advocate Office Management System

Platform

php

Component

kortex-lite-advocate-office-management-system

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

A problematic cross-site scripting (XSS) vulnerability has been identified in Kortex Lite Advocate Office Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides in the /control/client_data.php file and is triggered by manipulating the 'id' parameter. A patch is available in version 1.0.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-12536 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as login credentials and personal data. An attacker could also redirect users to malicious websites or modify the application's content to display misleading information. The impact is amplified if the application is used to manage sensitive client data, as a successful attack could compromise the confidentiality and integrity of that data. The vulnerability's remote accessibility increases the potential attack surface.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.30% (53% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentkortex-lite-advocate-office-management-system
VendorSourceCodester
Affected rangeFixed in
1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-12536 is to upgrade to version 1.0.1 of Kortex Lite Advocate Office Management System. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'id' parameter in the /control/client_data.php file. While not a complete solution, this can reduce the risk of successful exploitation. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the 'id' parameter can provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the 'id' parameter and confirming that it is properly sanitized or blocked.

How to fix

Actualizar a una versión parcheada o deshabilitar/eliminar el sistema Kortex Lite Advocate Office Management System. Si no hay una versión parcheada disponible, se recomienda implementar medidas de seguridad como la validación y el escape de entradas en el archivo /control/client_data.php para mitigar el riesgo de XSS.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-12536 — XSS in Kortex Lite Advocate Office Management System?

CVE-2024-12536 is a cross-site scripting (XSS) vulnerability affecting Kortex Lite Advocate Office Management System versions 1.0–1.0, allowing attackers to inject malicious scripts.

Am I affected by CVE-2024-12536 in Kortex Lite Advocate Office Management System?

You are affected if you are using Kortex Lite Advocate Office Management System version 1.0–1.0. Upgrade to version 1.0.1 to resolve the issue.

How do I fix CVE-2024-12536 in Kortex Lite Advocate Office Management System?

Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'id' parameter in /control/client_data.php.

Is CVE-2024-12536 being actively exploited?

While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.

Where can I find the official Kortex Lite Advocate Office Management System advisory for CVE-2024-12536?

Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2024-12536.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs