Plateforme
php
Composant
social-networking-site
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Social Networking Site versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the 'Story' argument within the message.php file, potentially compromising user sessions and data. The vulnerability has been disclosed publicly and a fix is available in version 1.0.1.
Successful exploitation of CVE-2024-0722 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session on the Social Networking Site. This can lead to various malicious actions, including session hijacking, credential theft, and redirection to phishing sites. The attacker could potentially steal sensitive user data, deface the website, or launch further attacks against other users. Given the public disclosure of this vulnerability, it is crucial to apply the patch promptly to prevent exploitation.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public availability of the exploit makes it a likely target for opportunistic attackers. The vulnerability was published on 2024-01-19.
Users of Social Networking Site versions 1.0 through 1.0 are at risk. This includes websites and applications directly using this component, as well as shared hosting environments where this software might be deployed without proper security configurations. Administrators of such platforms should prioritize patching.
• php / web:
grep -r "Story = $_GET['Story']" /var/www/html/message.php• generic web:
curl -I <social_networking_site_url>/message.php?Story=<xss_payload>• generic web: Check access logs for unusual requests to message.php with suspicious parameters in the Story field. • generic web: Monitor browser console for unexpected JavaScript execution originating from message.php.
disclosure
patch
Statut de l'Exploit
EPSS
0.12% (percentile 31%)
Vecteur CVSS
The primary mitigation for CVE-2024-0722 is to upgrade Social Networking Site to version 1.0.1 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing input validation and sanitization on the 'Story' argument in message.php to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'Story' field and verifying that it is properly sanitized.
Actualizar a una versión parcheada del Social Networking Site. Si no hay una versión disponible, revisar y sanitizar las entradas del parámetro 'Story' en el archivo message.php para evitar la ejecución de código JavaScript malicioso. Implementar validación y escape de datos en el lado del servidor.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-0722 is a cross-site scripting (XSS) vulnerability affecting Social Networking Site versions 1.0–1.0. It allows attackers to inject malicious scripts through the 'Story' argument in message.php.
Yes, if you are using Social Networking Site version 1.0 or 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade Social Networking Site to version 1.0.1 or later. As a temporary measure, implement input validation and sanitization on the 'Story' argument.
While no active campaigns have been confirmed, the vulnerability is publicly disclosed and may be targeted by opportunistic attackers. Prompt patching is recommended.
Refer to the vendor's advisory for Social Networking Site, which should be available on their official website or security channels.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.