Plateforme
php
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Farmacia version 1.0. This flaw resides in the processing of the /fornecedores.php file, enabling attackers to inject malicious scripts into the application. Affected versions include 1.0, and a fix is available in version 1.0.1.
Successful exploitation of CVE-2024-11259 allows an attacker to inject arbitrary JavaScript code into the Farmacia application. This can lead to various client-side attacks, including session hijacking, defacement of the application, and redirection to malicious websites. An attacker could potentially steal user credentials or other sensitive information displayed on the page. The impact is primarily client-side, but the attacker could leverage the compromised session to perform further actions within the application if the user has elevated privileges.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of a public proof-of-concept suggests that attackers may begin targeting vulnerable systems.
Organizations and individuals using Farmacia version 1.0 are at risk. This includes those hosting the application on shared hosting environments, as they may be vulnerable without direct control over the application's codebase. Users who interact with the /fornecedores.php page are particularly at risk.
• generic web:
curl -I https://example.com/fornecedores.php?param=<script>alert(1)</script>• generic web:
grep -i 'script' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.20% (percentile 42%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-11259 is to upgrade Farmacia to version 1.0.1 or later, which contains the necessary fix. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /fornecedores.php page to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Verify the upgrade by testing the /fornecedores.php page with various input strings to ensure no XSS payloads are executed.
Mettez à jour l'application Farmacia vers une version corrigée ou ultérieure qui résout la vulnérabilité XSS. Si aucune mise à jour n'est disponible, examinez et filtrez les entrées utilisateur dans le fichier /fornecedores.php pour éviter l'injection de code malveillant.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-11259 is a cross-site scripting (XSS) vulnerability in Farmacia version 1.0 affecting the /fornecedores.php file, allowing attackers to inject malicious scripts.
Yes, if you are using Farmacia version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade Farmacia to version 1.0.1 or later. As a temporary measure, implement input validation and output encoding on the /fornecedores.php page.
While no active exploitation campaigns have been publicly reported, the vulnerability is publicly disclosed and a proof-of-concept exists, increasing the risk of exploitation.
Refer to the Farmacia project's official channels for the advisory, which should be available on their website or repository.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.