CodeAstro Stock Management System Add Category index.php cross site scripting

Successful exploitation of CVE-2024-0958 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Stock Management System. This can lead to session hijacking, credential theft, defacement of the application, or redirection to malicious websites. The impact is particularly severe if the application handles sensitive data or is integrated with other systems, as the attacker could potentially gain access to that data or use the compromised system as a launchpad for further attacks. The ability to inject scripts remotely makes this a significant risk.

Organizations utilizing CodeAstro Stock Management System version 1.0, particularly those with publicly accessible instances or those handling sensitive customer data, are at risk. Shared hosting environments where multiple users share the same instance of the Stock Management System are also particularly vulnerable, as an attacker could potentially compromise other users' accounts.

• php / web: Examine access logs for requests to /index.php with unusual or suspicious parameters in the Category Name/Category Description fields. Use grep to search for patterns indicative of XSS payloads (e.g., <script>alert(1)</script>). • generic web: Use curl/wget to test the /index.php endpoint with various XSS payloads and observe the response for script execution. • wordpress / composer / npm: N/A - This vulnerability is not specific to WordPress, Composer, or npm. • database (mysql, redis, mongodb, postgresql): N/A - This vulnerability is not specific to databases. • windows / supply-chain: N/A - This vulnerability is not specific to Windows or supply-chain components. • linux / server: N/A - This vulnerability is not specific to Linux servers.

1. 2024-01-27Disclosure

   disclosure

1. Réservé2024-01-26
2. Publiée2024-01-27
3. Modifiée2024-10-18
4. EPSS mis à jour2026-04-02

The primary mitigation for CVE-2024-0958 is to immediately upgrade to CodeAstro Stock Management System version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Category Name and Category Description fields to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious activity related to the /index.php endpoint. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Category Name/Description fields and verifying that the script is not executed.