Platform
php
Component
online-food-ordering-system
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in CodeAstro Online Food Ordering System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and system integrity. The vulnerability resides within the dishes.php file, specifically in the handling of the res_id argument. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-0423 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the website, and redirection to phishing sites. An attacker could steal sensitive user information, such as login credentials or payment details, if the user interacts with the malicious script. The impact is amplified if the system handles sensitive data or processes financial transactions, as the attacker could gain access to critical information and potentially manipulate the application's behavior.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of a public proof-of-concept suggests that attackers may begin targeting vulnerable systems. The vulnerability was added to the VDB with identifier VDB-250442.
Exploit Status
EPSS
0.15% (35% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0423 is to upgrade to CodeAstro Online Food Ordering System version 1.0.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the res_id parameter in dishes.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Thoroughly review and sanitize all user inputs to prevent malicious code injection.
Update to a patched version or apply the fix provided by the vendor. Validate and sanitize user inputs, especially the 'res_id' parameter in the 'dishes.php' file, to prevent malicious code injection. Implement a content security policy (CSP) to mitigate XSS attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0423 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Online Food Ordering System versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'res_id' parameter in dishes.php.
You are affected if you are using CodeAstro Online Food Ordering System version 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to CodeAstro Online Food Ordering System version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
While no active exploitation campaigns have been confirmed, the vulnerability is publicly disclosed and a proof-of-concept exists, increasing the risk of exploitation.
Refer to the vendor's advisory or security bulletin for CodeAstro Online Food Ordering System for detailed information and updates regarding CVE-2024-0423.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.