Plataforma
php
Componente
skid-nochizplz
Corregido en
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in MAGESH-K21 Online-College-Event-Hall-Reservation-System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts via manipulation of the 'id' parameter within the 'home.php' file. The vulnerability is remotely exploitable and a public proof-of-concept is available. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-2515 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online-College-Event-Hall-Reservation-System. This could lead to session hijacking, credential theft, defacement of the website, or redirection to malicious sites. The attacker could potentially gain access to sensitive user data, including event reservation details and personal information. Given the public availability of an exploit, the risk of exploitation is elevated.
This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a higher probability of exploitation. It is not currently listed on CISA KEV. The vendor has not responded to early disclosure attempts. The public nature of the exploit increases the risk of automated scanning and exploitation attempts.
Educational institutions and organizations using the Online-College-Event-Hall-Reservation-System, particularly those with publicly accessible event reservation portals, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the exploitation of this vulnerability on other sites.
• php: Examine 'home.php' for unsanitized use of the 'id' parameter. Search for instances where user input is directly output to the page without proper encoding.
• generic web: Monitor access logs for requests to 'home.php' containing unusual or suspicious characters in the 'id' parameter (e.g., <script>, javascript:, onerror=).
• generic web: Use curl to test the 'home.php' endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>) and observe the response for signs of script execution.
disclosure
poc
Estado del Exploit
EPSS
0.07% (21% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2024-2515 is to upgrade to version 1.0.1 of the Online-College-Event-Hall-Reservation-System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'id' parameter in 'home.php' to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Monitor web server access logs for suspicious requests targeting 'home.php' with unusual parameters.
Actualizar a una versión parcheada o aplicar una solución de mitigación para evitar la ejecución de código JavaScript no deseado. Validar y limpiar las entradas del usuario, especialmente el parámetro 'id' en el archivo home.php, para eliminar o escapar caracteres especiales que puedan ser interpretados como código HTML o JavaScript. Implementar políticas de seguridad de contenido (CSP) para restringir las fuentes de las que el navegador puede cargar recursos.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2024-2515 is a cross-site scripting (XSS) vulnerability affecting versions 1.0–1.0 of the Online-College-Event-Hall-Reservation-System, allowing attackers to inject malicious scripts.
You are affected if you are using Online-College-Event-Hall-Reservation-System versions 1.0–1.0. Upgrade to 1.0.1 to resolve the issue.
Upgrade to version 1.0.1 of the Online-College-Event-Hall-Reservation-System. Implement input validation and output encoding as a temporary workaround.
A public proof-of-concept exploit exists, indicating a potential for active exploitation and increased risk.
The vendor has not responded to early disclosure attempts. Check the vendor's website or security mailing lists for updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.