Platform
php
Component
kortex-lite-advocate-office-management-system
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Kortex Lite Advocate Office Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides in the /control/client_data.php file and is triggered by manipulating the 'id' parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-12536 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to the theft of sensitive information, such as login credentials and personal data. An attacker could also redirect users to malicious websites or modify the application's content to display misleading information. The impact is amplified if the application is used to manage sensitive client data, as a successful attack could compromise the confidentiality and integrity of that data. The vulnerability's remote accessibility increases the potential attack surface.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant attention. No known active campaigns targeting this specific vulnerability have been reported at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12536 is to upgrade to version 1.0.1 of Kortex Lite Advocate Office Management System. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'id' parameter in the /control/client_data.php file. While not a complete solution, this can reduce the risk of successful exploitation. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the 'id' parameter can provide an additional layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the 'id' parameter and confirming that it is properly sanitized or blocked.
Actualizar a una versión parcheada o deshabilitar/eliminar el sistema Kortex Lite Advocate Office Management System. Si no hay una versión parcheada disponible, se recomienda implementar medidas de seguridad como la validación y el escape de entradas en el archivo /control/client_data.php para mitigar el riesgo de XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12536 is a cross-site scripting (XSS) vulnerability affecting Kortex Lite Advocate Office Management System versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are using Kortex Lite Advocate Office Management System version 1.0–1.0. Upgrade to version 1.0.1 to resolve the issue.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'id' parameter in /control/client_data.php.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or relevant security forums for the official advisory regarding CVE-2024-12536.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.