Platform
php
Component
university-management-system
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CodeAstro University Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides within the /att_add.php file, specifically affecting the handling of the 'Student Name' argument. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-1265 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the University Management System. An attacker could craft a malicious link or embed a script within a seemingly legitimate page, tricking users into clicking and triggering the XSS payload. The impact is amplified if the system is used to manage sensitive student data, as attackers could potentially gain access to personally identifiable information (PII).
This vulnerability was publicly disclosed on 2024-02-07 and is tracked by VDB-253008. The availability of a public exploit suggests a higher probability of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on sensitive data warrant immediate attention. No KEV listing or active exploitation campaigns have been confirmed as of this writing.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1265 is to upgrade to version 1.0.1 of CodeAstro University Management System. Until the upgrade is possible, consider implementing input validation and sanitization on the 'Student Name' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update the system's security configuration to minimize the attack surface.
Update the university management system to a patched version that resolves the XSS vulnerability in the att_add.php file. Verify the release notes or changelog to confirm that CVE-2024-1265 has been addressed. If a patched version is not available, consider implementing mitigation measures such as input sanitization in the att_add.php code to prevent the execution of malicious scripts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1265 is a cross-site scripting (XSS) vulnerability affecting CodeAstro University Management System versions 1.0 through 1.0. It allows attackers to inject malicious scripts via the /att_add.php file.
You are affected if you are using CodeAstro University Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Student Name' field.
While no confirmed active exploitation campaigns are known, the vulnerability has been publicly disclosed and a proof-of-concept is available, increasing the likelihood of exploitation.
Please refer to the CodeAstro website or their security advisory page for the official advisory regarding CVE-2024-1265.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.