Scanner gratuitement
LOWCVE-2024-12000CVSS 3.5

code-projects Blood Bank System Setting updatesettings.php cross site scripting

traduction en cours…

Plateforme

php

Corrigé dans

1.0.1

AI Confidence: highNVDEPSS 0.1%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

A cross-site scripting (XSS) vulnerability has been identified in code-projects Blood Bank System, affecting versions 1.0 through 1.0. This flaw resides within the /controllers/updatesettings.php file, specifically in the handling of the 'firstname' argument. Successful exploitation could allow an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. A patch is available in version 1.0.1.

Impact et Scénarios d'Attaquetraduction en cours…

The XSS vulnerability in Blood Bank System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This code can then be executed in the context of a user's browser, potentially leading to a variety of malicious actions. An attacker could steal session cookies, redirect users to phishing sites, or deface the application's appearance. The impact is amplified if the application handles sensitive data or performs critical operations, as an attacker could leverage the injected script to gain unauthorized access or manipulate data. The vulnerability's remote accessibility means it can be exploited without requiring local access to the system.

Contexte d'Exploitationtraduction en cours…

This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public availability of the vulnerability makes it a potential target for opportunistic attackers. The vulnerability was published on 2024-11-30.

Qui Est à Risquetraduction en cours…

Organizations utilizing the Blood Bank System in environments where user input is not properly sanitized are at risk. This includes deployments with legacy configurations, shared hosting environments where the application shares resources with other potentially compromised websites, and instances where the application handles sensitive patient data.

Étapes de Détectiontraduction en cours…

• php: Examine the /controllers/updatesettings.php file for inadequate input validation on the 'firstname' parameter. Search for instances where user-supplied data is directly outputted to the page without proper encoding.

// Example of vulnerable code
<?php
echo $_GET['firstname']; // No encoding or validation
?>

• generic web: Monitor access logs for requests to /controllers/updatesettings.php with suspicious parameters in the 'firstname' field. Look for patterns indicative of XSS payloads (e.g., <script>, javascript:).

grep 'firstname=<script.*</script>' access.log

• generic web: Check response headers for the presence of XSS payloads. This can be done by sending a request with an XSS payload in the 'firstname' parameter and examining the response headers for any signs of the payload being reflected. • generic web: Use a vulnerability scanner to scan the application for XSS vulnerabilities. Many scanners have built-in checks for XSS in common web application components.

Chronologie de l'Attaque

  1. Disclosure

    disclosure

  2. Patch

    patch

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée
NextGuard10–15% encore vulnérables

EPSS

0.13% (percentile 32%)

CISA SSVC

Exploitationpoc
Automatisableno
Impact Techniquepartial

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N3.5LOWAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredLowNiveau d'authentification requisUser InteractionRequiredSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityNoneRisque d'exposition de données sensiblesIntegrityLowRisque de modification non autorisée de donnéesAvailabilityNoneRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Faible — tout compte utilisateur valide est suffisant.
User Interaction
Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Aucun — aucun impact sur la confidentialité.
Integrity
Faible — l'attaquant peut modifier certaines données avec un impact limité.
Availability
Aucun — aucun impact sur la disponibilité.

Logiciel Affecté

Fournisseurcode-projects
Plage affectéeCorrigé dans
1.0 – 1.01.0.1

Classification de Faiblesse (CWE)

CWE-79CWE-94

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2024-12000 is to upgrade to version 1.0.1 of the Blood Bank System. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'firstname' parameter within the /controllers/updatesettings.php file. This can help prevent malicious scripts from being injected. Additionally, implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts targeting this specific endpoint. Regularly review and update your WAF rules to ensure they remain effective. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the 'firstname' parameter and verifying that the script is not executed.

Comment corrigertraduction en cours…

Actualizar a una versión parcheada del sistema Blood Bank System. Si no hay una versión parcheada disponible, revisar y sanitizar las entradas del usuario en el archivo `/controllers/updatesettings.php`, especialmente el parámetro `firstname`, para prevenir la ejecución de código JavaScript malicioso. Considere deshabilitar temporalmente la funcionalidad afectada hasta que se pueda aplicar una solución adecuada.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2024-12000 — XSS in Blood Bank System?

CVE-2024-12000 is a cross-site scripting (XSS) vulnerability affecting versions 1.0 of the Blood Bank System, allowing attackers to inject malicious scripts.

Am I affected by CVE-2024-12000 in Blood Bank System?

If you are using Blood Bank System version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2024-12000 in Blood Bank System?

The recommended fix is to upgrade to version 1.0.1. Alternatively, implement input validation and output encoding on the 'firstname' parameter in /controllers/updatesettings.php.

Is CVE-2024-12000 being actively exploited?

While no active campaigns have been confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.

Where can I find the official Blood Bank System advisory for CVE-2024-12000?

Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2024-12000.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE