A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Eyewear Shop versions 1.0. This flaw resides within the Inventory Page's /oews/classes/Master.php?f=save_product functionality, specifically when manipulating the 'brand' parameter. Successful exploitation could lead to malicious script execution within a user's browser, potentially compromising sensitive data. The vulnerability is fixed in version 1.0.1.
The XSS vulnerability in Online Eyewear Shop allows an attacker to inject malicious JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit the affected page. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the website. The impact is amplified if the application handles sensitive user data, such as payment information or personal details, as the attacker could potentially intercept this data. The remote nature of the vulnerability means an attacker doesn't need to be authenticated to exploit it, significantly broadening the potential attack surface. Similar XSS vulnerabilities in other e-commerce platforms have been used to deploy malware and steal user credentials.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. There is currently no indication of active exploitation campaigns targeting Online Eyewear Shop. The vulnerability is not listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's public disclosure and relatively simple nature.
Exploit Status
EPSS
0.20% (42% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11247 is to immediately upgrade to version 1.0.1 of Online Eyewear Shop. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /oews/classes/Master.php?f=save_product endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to filter out malicious requests containing suspicious JavaScript code. Review and strengthen the application's overall security posture, including regular security audits and penetration testing. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the 'brand' parameter and confirming that it is properly sanitized.
Actualizar a una versión parcheada del software. Si no hay una versión disponible, sanitizar las entradas del usuario, especialmente el parámetro 'brand', para evitar la ejecución de código JavaScript malicioso. Implementar validación y codificación de salida para prevenir ataques XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11247 is a cross-site scripting (XSS) vulnerability affecting Online Eyewear Shop versions 1.0, allowing attackers to inject malicious scripts via the 'brand' parameter in the /oews/classes/Master.php endpoint.
You are affected if you are running Online Eyewear Shop version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the affected endpoint.
While there is no confirmed active exploitation, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-11247.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.