Platform
php
Component
yasserreed-cves
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester’s Best House Rental Management System, specifically affecting version 1.0. This vulnerability allows attackers to inject malicious scripts through manipulation of parameters within the /rental/ajax.php?action=save_tenant endpoint. The vulnerability is remotely exploitable and has been publicly disclosed, requiring immediate attention to prevent potential compromise. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-11742 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Best House Rental Management System. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the rental management interface. An attacker could potentially gain access to sensitive tenant data, modify rental agreements, or redirect users to phishing sites. The impact is amplified if the system is used to manage sensitive financial information or integrates with other critical business systems, potentially enabling lateral movement within the organization.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date, but the public availability of the exploit increases the risk of opportunistic attacks. The vulnerability was disclosed on 2024-11-26.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11742 is to immediately upgrade to version 1.0.1 of the Best House Rental Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the /rental/ajax.php?action=save_tenant endpoint to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Review and update any existing security policies to reflect the importance of prompt patching and secure coding practices.
Actualizar a una versión parcheada del sistema. Si no hay una versión disponible, sanitizar las entradas de los campos lastname, firstname y middlename en el archivo /rental/ajax.php antes de usarlas en la salida HTML para prevenir la inyección de código malicioso.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11742 is a cross-site scripting (XSS) vulnerability affecting version 1.0 of Best House Rental Management System, allowing attackers to inject malicious scripts via the /rental/ajax.php endpoint.
You are affected if you are using Best House Rental Management System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the vulnerable endpoint.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-11742.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.