LOWCVE-2024-11996CVSS 3.5

CVE-2024-11996: XSS in Farmacia 1.0

Platform

php

Fixed in

1.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

CVE-2024-11996 describes a problematic cross-site scripting (XSS) vulnerability discovered in Farmacia version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability specifically affects the /editar-fornecedor.php file, where manipulation of the 'cidade' parameter can trigger the XSS. A patch is available in version 1.0.1.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-11996 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and theft of sensitive information like login credentials or personal data. The attacker could potentially redirect users to phishing sites or install malware. Because the vulnerability is triggered remotely via the 'cidade' parameter, it is relatively easy to exploit, requiring only the crafting of a malicious URL.

Exploitation Context

This vulnerability has been publicly disclosed, increasing the risk of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and public disclosure. The vulnerability was published on 2024-11-30.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

0.14% (35% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

Vendorcode-projects

Affected rangeFixed in

1.0 – 1.01.0.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2024-11-29
Published2024-11-30
Modified2024-12-05
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-11996 is to upgrade Farmacia to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'cidade' parameter within the /editar-fornecedor.php file. This can help prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the 'cidade' parameter and confirming that it is properly sanitized or blocked.

How to fix

Update the Farmacia application to a patched version that fixes the XSS vulnerability in the editar-fornecedor.php file. Validate and escape user inputs properly, especially the 'cidade' parameter, to prevent the injection of malicious code. Review other parameters for potential similar vulnerabilities.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-11996 — XSS in Farmacia 1.0?

CVE-2024-11996 is a cross-site scripting (XSS) vulnerability in Farmacia version 1.0, affecting the /editar-fornecedor.php file. It allows attackers to inject malicious scripts via the 'cidade' parameter.

Am I affected by CVE-2024-11996 in Farmacia 1.0?

Yes, if you are using Farmacia version 1.0, you are vulnerable to this XSS attack. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2024-11996 in Farmacia 1.0?

Upgrade Farmacia to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'cidade' parameter.

Is CVE-2024-11996 being actively exploited?

While no active exploitation has been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.

Where can I find the official Farmacia advisory for CVE-2024-11996?

Refer to the Farmacia project's official website or repository for the advisory related to CVE-2024-11996.