Platform
php
Component
skid-nochizplz
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Computer Inventory System versions 1.0. This flaw allows attackers to inject malicious scripts through manipulation of arguments within the /endpoint/add-computer.php file. Affected users should upgrade to version 1.0.1 to mitigate this risk, which has been publicly disclosed.
Successful exploitation of CVE-2024-2066 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application's interface, and redirection to phishing sites. The attacker could steal sensitive information like user credentials or internal data displayed within the Computer Inventory System. Given the nature of XSS, the potential impact extends to all users interacting with the vulnerable endpoint, potentially compromising the entire system's integrity.
This vulnerability has been publicly disclosed and assigned the identifier VDB-255381. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant prompt remediation. No active exploitation campaigns have been publicly reported as of this writing, but the availability of the vulnerability details increases the risk of future attacks. The vulnerability was published on 2024-03-01.
Exploit Status
EPSS
0.06% (18% percentile)
CVSS Vector
The primary mitigation for CVE-2024-2066 is to upgrade to version 1.0.1 of the Computer Inventory System. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on the /endpoint/add-computer.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies to ensure adherence to secure coding practices.
Update to a patched version of the software. If no version is available, sanitize the input of the 'model' parameter in the add-computer.php file to prevent XSS code execution. Escaping data output in the HTML template can also mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2066 is a cross-site scripting (XSS) vulnerability affecting Computer Inventory System 1.0, allowing attackers to inject malicious scripts via the /endpoint/add-computer.php file.
If you are using Computer Inventory System version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to resolve the issue.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the vulnerable endpoint.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed, increasing the risk of future attacks.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-2066.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.