Plateforme
php
Composant
cve_hub
Corrigé dans
1.0.1
CVE-2024-0284 describes a cross-site scripting (XSS) vulnerability affecting Kashipara Food Management System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and system integrity. A patch is available in version 1.0.1, addressing this issue.
The XSS vulnerability in Kashipara Food Management System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the application. Successful exploitation could lead to unauthorized access to sensitive data, including user credentials and financial information. The impact is amplified if the application is used to manage sensitive data or process financial transactions. While the CVSS score is LOW, the potential for user compromise and data theft remains significant.
This vulnerability has been publicly disclosed, and a proof-of-concept may be available. The vulnerability is listed in the VDB (Vulnerability Database) as VDB-249839. The CVSS score is LOW, suggesting a relatively low probability of widespread exploitation, but the public disclosure increases the risk. No active exploitation campaigns have been confirmed at the time of writing.
Organizations and individuals using Kashipara Food Management System versions 1.0 through 1.0 are at risk. This includes small businesses and non-profit organizations that rely on this system for food management and potentially handle sensitive user data. Shared hosting environments where multiple websites share the same server are particularly vulnerable, as a compromise of one website could potentially impact others.
• php / web:
grep -r "party_address" /var/www/html/party_submit.php• generic web:
curl -I <food_management_system_url>/party_submit.php?party_address=<script>alert(1)</script>• generic web: Check access/error logs for suspicious requests containing <script> tags or other XSS payloads targeting the party_address parameter.
• generic web: Review the application's source code for inadequate input validation and output encoding of user-supplied data.
disclosure
patch
Statut de l'Exploit
EPSS
0.07% (percentile 22%)
Vecteur CVSS
The primary mitigation for CVE-2024-0284 is to upgrade Kashipara Food Management System to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the partyaddress parameter within the partysubmit.php file. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Regularly review and update input sanitization routines to prevent similar vulnerabilities in the future. After upgrade, confirm by testing the party_submit.php endpoint with various malicious inputs to ensure the vulnerability is resolved.
Actualice el sistema Kashipara Food Management System a una versión posterior a la 1.0 o aplique el parche proporcionado por el proveedor para corregir la vulnerabilidad XSS en el archivo party_submit.php. Revise y filtre las entradas del usuario, especialmente el argumento party_address, para evitar la inyección de código malicioso. Implemente medidas de seguridad adicionales, como la codificación de salida, para mitigar el riesgo de ataques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-0284 is a cross-site scripting (XSS) vulnerability in Kashipara Food Management System versions 1.0-1.0, allowing attackers to inject malicious scripts.
You are affected if you are using Kashipara Food Management System versions 1.0 through 1.0. Upgrade to 1.0.1 to resolve the issue.
Upgrade to version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
While no active exploitation campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk.
Refer to the Kashipara Food Management System documentation or website for the official advisory regarding CVE-2024-0284.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.