Platform
java
Component
manager-system
Fixed in
1.0.1
CVE-2024-13143 is a cross-site scripting (XSS) vulnerability affecting ZeroWdd studentmanager versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. A fix is available in version 1.0.1, and the exploit has been publicly disclosed.
The XSS vulnerability in ZeroWdd studentmanager arises from improper handling of user-supplied input within the submitAddPermission function. An attacker can craft a malicious URL containing JavaScript code, which, when processed by the application, will be executed in the context of the user's browser. This can lead to the theft of session cookies, allowing the attacker to impersonate the user. Furthermore, the attacker could inject arbitrary HTML and JavaScript, potentially defacing the application or redirecting users to malicious websites. The impact is amplified if the application is used to manage sensitive student data, as an attacker could potentially access or modify this information.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date (2025-01-05).
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13143 is to upgrade to version 1.0.1 of ZeroWdd studentmanager, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the url parameter in the PermissionController.java file. This can help prevent the injection of malicious scripts. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting the submitAddPermission endpoint. After upgrading, confirm the fix by attempting to submit a request with a known malicious URL payload and verifying that the script is not executed.
Actualizar a una versión parcheada de studentmanager que solucione la vulnerabilidad de Cross-Site Scripting (XSS). Contacte al proveedor para obtener la versión corregida o aplique las medidas de seguridad necesarias para evitar la manipulación de la entrada 'url' en la función 'submitAddPermission'.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13143 is a cross-site scripting (XSS) vulnerability in ZeroWdd studentmanager versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'url' parameter.
You are affected if you are using ZeroWdd studentmanager version 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1 of ZeroWdd studentmanager. As a temporary workaround, implement input validation and output encoding on the 'url' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the ZeroWdd project's official website or repository for the latest security advisories and updates related to CVE-2024-13143.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.