Platform
php
Component
stock-management-system
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CodeAstro Stock Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the Category Name or Category Description within the /index.php file. The vulnerability has been publicly disclosed and a patch is available in version 1.0.1.
Successful exploitation of CVE-2024-0958 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Stock Management System. This can lead to session hijacking, credential theft, defacement of the application, or redirection to malicious websites. The impact is particularly severe if the application handles sensitive data or is integrated with other systems, as the attacker could potentially gain access to that data or use the compromised system as a launchpad for further attacks. The ability to inject scripts remotely makes this a significant risk.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the ease of exploitation and potential impact warrant prompt remediation. The vulnerability is tracked in the VDB as VDB-252203. No KEV listing or confirmed exploitation campaigns are currently known.
Exploit Status
EPSS
0.17% (38% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0958 is to immediately upgrade to CodeAstro Stock Management System version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Category Name and Category Description fields to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious activity related to the /index.php endpoint. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Category Name/Description fields and verifying that the script is not executed.
Update to a patched version of the stock management system. If no version is available, sanitize user inputs in the /index.php file, especially the 'Category Name' and 'Category Description' fields, to prevent the execution of malicious JavaScript code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0958 is a cross-site scripting (XSS) vulnerability in CodeAstro Stock Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /index.php file.
You are affected if you are using CodeAstro Stock Management System version 1.0–1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade to CodeAstro Stock Management System version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
While no confirmed exploitation campaigns are currently known, the vulnerability has been publicly disclosed and a proof-of-concept may be available, increasing the risk of exploitation.
Refer to the CodeAstro website or relevant security mailing lists for the official advisory regarding CVE-2024-0958.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.