Platform
php
Component
vehicle-booking-system
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CodeAstro Vehicle Booking System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability resides within the Feedback Page component, specifically the usr/user-give-feedback.php file. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-0346 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the Vehicle Booking System's web interface. An attacker could potentially redirect users to phishing sites, steal sensitive information entered into forms, or inject malicious content that appears to originate from the legitimate application. The blast radius is limited to users interacting with the feedback page, but the impact on individual users can be significant.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant prompt remediation. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public availability of the exploit increases the risk. The vulnerability was added to the VDB with identifier VDB-250114.
Exploit Status
EPSS
0.22% (44% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0346 is to immediately upgrade the CodeAstro Vehicle Booking System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the My Testemonial parameter within the usr/user-give-feedback.php file. This can help prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the feedback form and verifying that the script is not executed.
Update the Vehicle Booking System to a patched version that resolves the XSS vulnerability. If no version is available, review and filter user inputs in the file usr/user-give-feedback.php, especially the 'My Testemonial' argument, to prevent malicious code injection. Implement server-side data validation and sanitization to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0346 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Vehicle Booking System versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'My Testemonial' parameter.
Yes, if you are running CodeAstro Vehicle Booking System version 1.0–1.0, you are vulnerable to this XSS attack. Upgrade to 1.0.1 to mitigate.
The recommended fix is to upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'My Testemonial' parameter.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation. Prompt remediation is advised.
Refer to the CodeAstro website or relevant security advisories for the official advisory regarding CVE-2024-0346.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.