Platform
php
Component
blood-bank-donor-management-system
Fixed in
2.4.1
CVE-2024-12982 describes a cross-site scripting (XSS) vulnerability discovered in PHPGurukul Blood Bank & Donor Management System version 2.4. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability specifically impacts the /bbdms/admin/update-contactinfo.php file. A patch is available in version 2.4.1.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted Address parameter. When a user with sufficient privileges (likely an administrator) accesses this URL, the injected script will execute in their browser context. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or deface the application's administrative interface. The potential impact extends to sensitive data stored within the Blood Bank & Donor Management System, including donor information and blood inventory details. While the CVSS score is LOW, the potential for privilege escalation within the administrative interface makes this a concerning vulnerability.
This vulnerability was publicly disclosed on December 27, 2024. A public proof-of-concept is likely to emerge given the ease of exploitation associated with XSS vulnerabilities. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The NVD entry was published on the same date as the public disclosure.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12982 is to upgrade to version 2.4.1 of the Blood Bank & Donor Management System. This version includes a fix for the vulnerable parameter handling. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the Address parameter within the /bbdms/admin/update-contactinfo.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) into the Address field and verifying that the script does not execute.
Actualice a una versión parcheada del sistema de gestión de bancos de sangre y donantes de PHPGurukul. Si no hay una versión parcheada disponible, revise y filtre las entradas del campo 'Address' en el archivo update-contactinfo.php para evitar la ejecución de código XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12982 is a cross-site scripting (XSS) vulnerability in PHPGurukul Blood Bank & Donor Management System 2.4, affecting the /bbdms/admin/update-contactinfo.php file. Attackers can inject malicious scripts via the Address parameter.
You are affected if you are using PHPGurukul Blood Bank & Donor Management System version 2.4. The vulnerability impacts the /bbdms/admin/update-contactinfo.php file.
Upgrade to version 2.4.1. If immediate upgrade is not possible, implement input validation and sanitization on the Address parameter and consider using a WAF.
There are currently no reports of active exploitation campaigns, but a public proof-of-concept is likely to emerge given the vulnerability's nature.
Refer to the PHPGurukul website and security advisories for the latest information regarding CVE-2024-12982 and available patches.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.