Plateforme
php
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Job Recruitment version 1.0. This flaw resides within the /register.php file and allows attackers to inject malicious scripts into the application. The vulnerability affects versions 1.0 through 1.0 and has been publicly disclosed, posing a potential risk to users. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-11078 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser. This can lead to session hijacking, credential theft, defacement of the application, or redirection to malicious websites. The attacker could potentially gain access to sensitive user data, including login credentials and personal information. The remote nature of the vulnerability means it can be exploited from anywhere with network access to the Job Recruitment application.
This vulnerability was publicly disclosed on 2024-11-11. A public proof-of-concept is likely available given the public disclosure. The CVSS score is LOW, indicating that exploitation may require specific conditions or user interaction. It is not currently listed on the CISA KEV catalog.
Organizations using Job Recruitment version 1.0 are at risk. Shared hosting environments where multiple users share the same instance of Job Recruitment are particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• php / web:
curl -s -X POST -d "e/role=<script>alert(1)</script>" http://your-job-recruitment-server/register.php | grep -i alert• generic web:
curl -s -X POST -d "e/role=<script>alert(1)</script>" http://your-job-recruitment-server/register.php | grep -i alertdisclosure
Statut de l'Exploit
EPSS
0.13% (percentile 33%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-11078 is to upgrade Job Recruitment to version 1.0.1 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the 'e/role' parameter in the /register.php file. This can help prevent malicious input from being processed. Additionally, a Web Application Firewall (WAF) configured to block XSS payloads targeting the /register.php endpoint could provide an additional layer of protection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'e/role' parameter and confirming that it is properly neutralized.
Actualizar a una versión parcheada o aplicar una solución que filtre y escape correctamente las entradas del usuario en el archivo /register.php, especialmente los parámetros 'e' y 'role'. Validar y limpiar las entradas antes de mostrarlas en la página para prevenir la ejecución de código malicioso.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-11078 is a cross-site scripting (XSS) vulnerability in Job Recruitment version 1.0, affecting the /register.php file. Attackers can inject malicious scripts by manipulating the 'e/role' parameter.
Yes, if you are using Job Recruitment version 1.0, you are affected by this vulnerability. Versions 1.0.1 and later are not vulnerable.
Upgrade Job Recruitment to version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the 'e/role' parameter in /register.php.
While there's no confirmed widespread exploitation, the vulnerability is publicly disclosed and a proof-of-concept is likely available, increasing the risk of exploitation.
Refer to the code-projects website or relevant security mailing lists for the official advisory regarding CVE-2024-11078.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.