Platform
php
Component
online-fir-system
Fixed in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Online FIR System version 1.0. This problematic issue arises from improper handling of user-supplied data within the registercomplaint.php file, specifically the Name/Address argument. Successful exploitation could allow an attacker to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability is fixed in version 1.0.1.
The XSS vulnerability in Online FIR System allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the Online FIR System is used to collect sensitive personal information, as attackers could potentially harvest this data. While the CVSS score is LOW, the potential for user compromise and data theft warrants immediate attention.
This vulnerability has been publicly disclosed and a corresponding entry exists in the Vulnerability Database (VDB-250611). The exploit is considered readily available, increasing the likelihood of exploitation. While no active campaigns have been publicly reported, the ease of exploitation suggests that opportunistic attackers may attempt to leverage this vulnerability. The CVE was published on 2024-01-13.
Exploit Status
EPSS
0.17% (38% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0503 is to upgrade to version 1.0.1 of the Online FIR System. This version includes a fix that addresses the improper handling of user input. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Name/Address parameter within registercomplaint.php. This can help prevent malicious scripts from being injected. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the Name/Address field and verifying that it is properly sanitized.
Update to a patched version of the Online FIR System. Contact the vendor for a corrected version or implement input sanitization measures in the registercomplaint.php file to prevent XSS (Cross-Site Scripting) code execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0503 is a cross-site scripting (XSS) vulnerability in Online FIR System version 1.0, allowing attackers to inject malicious scripts via the Name/Address parameter in registercomplaint.php.
You are affected if you are using Online FIR System version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the Name/Address parameter.
While no active campaigns have been publicly reported, the vulnerability is publicly disclosed and easily exploitable, increasing the risk of exploitation.
Refer to the VDB entry (VDB-250611) for details and related information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.