Platform
php
Component
skid-nochizplz
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in MAGESH-K21 Online-College-Event-Hall-Reservation-System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts via manipulation of the 'id' parameter within the 'home.php' file. The vulnerability is remotely exploitable and a public proof-of-concept is available. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-2515 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online-College-Event-Hall-Reservation-System. This could lead to session hijacking, credential theft, defacement of the website, or redirection to malicious sites. The attacker could potentially gain access to sensitive user data, including event reservation details and personal information. Given the public availability of an exploit, the risk of exploitation is elevated.
This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a higher probability of exploitation. It is not currently listed on CISA KEV. The vendor has not responded to early disclosure attempts. The public nature of the exploit increases the risk of automated scanning and exploitation attempts.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-2515 is to upgrade to version 1.0.1 of the Online-College-Event-Hall-Reservation-System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'id' parameter in 'home.php' to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor web server access logs for suspicious requests targeting 'home.php' with unusual parameters.
Update to a patched version or apply a mitigation solution to prevent the execution of unwanted JavaScript code. Validate and sanitize user inputs, especially the 'id' parameter in the home.php file, to remove or escape special characters that could be interpreted as HTML or JavaScript code. Implement content security policy (CSP) to restrict the sources from which the browser can load resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2515 is a cross-site scripting (XSS) vulnerability affecting versions 1.0–1.0 of the Online-College-Event-Hall-Reservation-System, allowing attackers to inject malicious scripts.
You are affected if you are using Online-College-Event-Hall-Reservation-System versions 1.0–1.0. Upgrade to 1.0.1 to resolve the issue.
Upgrade to version 1.0.1 of the Online-College-Event-Hall-Reservation-System. Implement input validation and output encoding as a temporary workaround.
A public proof-of-concept exploit exists, indicating a potential for active exploitation and increased risk.
The vendor has not responded to early disclosure attempts. Check the vendor's website or security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.