Platform
php
Component
vulnerability-research
Fixed in
0.2.1
0.2.2
0.2.3
CVE-2024-13031 describes a problematic cross-site scripting (XSS) vulnerability discovered in White-Jotter, a PHP application. This vulnerability allows an attacker to inject malicious scripts into the Article Content Editor, potentially leading to unauthorized access and data compromise. The vulnerability affects versions 0.2.0 through 0.2.2, and a fix is available in version 0.2.3.
Successful exploitation of CVE-2024-13031 enables an attacker to inject arbitrary JavaScript code into the White-Jotter application. This code can then be executed in the context of a user's browser when they access a page containing the injected script. The primary impact is the potential for account takeover, where an attacker could steal session cookies and impersonate legitimate users. Further, the attacker could use the injected script to steal sensitive data displayed on the page, such as user credentials or confidential information. The attack is remotely exploitable, increasing the potential blast radius.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept code may be available or emerge, further accelerating potential exploitation. The vulnerability was published on 2024-12-30.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13031 is to upgrade White-Jotter to version 0.2.3 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Article Content Editor to sanitize user-supplied data. While not a complete solution, this can reduce the attack surface. Reviewing and restricting access to the /admin/content/editor endpoint can also limit potential exposure. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script through the Article Content Editor and verifying that it is not executed.
Update White-Jotter to a version later than 0.2.2, if available, that fixes the Cross-Site Scripting (XSS) vulnerability. If no version is available, consider disabling or removing the Article Content Editor component until a solution is published. Inspect and sanitize user inputs in the content editor to prevent the injection of malicious code.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13031 is a cross-site scripting (XSS) vulnerability affecting White-Jotter versions 0.2.0 through 0.2.2, allowing attackers to inject malicious scripts.
You are affected if you are using White-Jotter versions 0.2.0, 0.2.1, or 0.2.2. Upgrade to 0.2.3 or later to mitigate the risk.
Upgrade White-Jotter to version 0.2.3 or later. As a temporary measure, implement input validation and output encoding on the Article Content Editor.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the White-Jotter project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.