A problematic cross-site scripting (XSS) vulnerability has been identified in Farmacia version 1.0. This flaw allows attackers to inject malicious scripts, potentially leading to session hijacking or defacement of the application. The vulnerability resides within the 'usuario.php' file, specifically related to the manipulation of the 'name' argument. Affected users should upgrade to version 1.0.1 to mitigate this risk.
Successful exploitation of CVE-2024-11660 enables an attacker to inject arbitrary JavaScript code into the Farmacia application. This code can then be executed in the context of a victim's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or modify the content displayed on the page. The impact is heightened by the remote nature of the attack, meaning an attacker doesn't need local access to exploit the vulnerability. The blast radius extends to all users interacting with the vulnerable 'usuario.php' endpoint, potentially impacting a wide range of Farmacia users.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
The primary mitigation for CVE-2024-11660 is to upgrade Farmacia to version 1.0.1, which includes a fix for the XSS vulnerability. If an immediate upgrade is not feasible, consider implementing input validation and sanitization on the 'name' parameter in 'usuario.php' to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the 'name' parameter and verifying that it is properly sanitized or blocked.
Actualice el software Farmacia a una versión parcheada que solucione la vulnerabilidad XSS en el archivo usuario.php. Verifique las notas de la versión o el registro de cambios para identificar la versión corregida. Si no hay una versión parcheada disponible, considere implementar medidas de mitigación como la desinfección de entradas y la codificación de salidas para prevenir ataques XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11660 is a cross-site scripting (XSS) vulnerability in Farmacia version 1.0, allowing attackers to inject malicious scripts via the 'name' parameter in 'usuario.php.'
Yes, if you are using Farmacia version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to resolve the issue.
Upgrade Farmacia to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'name' parameter in 'usuario.php.'
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Farmacia project's official website or repository for the latest security advisories and updates.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.