Plateforme
php
Corrigé dans
1.0.1
CVE-2024-11996 describes a problematic cross-site scripting (XSS) vulnerability discovered in Farmacia version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability specifically affects the /editar-fornecedor.php file, where manipulation of the 'cidade' parameter can trigger the XSS. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-11996 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and theft of sensitive information like login credentials or personal data. The attacker could potentially redirect users to phishing sites or install malware. Because the vulnerability is triggered remotely via the 'cidade' parameter, it is relatively easy to exploit, requiring only the crafting of a malicious URL.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the ease of exploitation and public disclosure. The vulnerability was published on 2024-11-30.
Organizations and individuals using Farmacia version 1.0 are at risk. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as an attacker could potentially compromise other users through this XSS vulnerability. Users who rely on Farmacia for sensitive data management are also at increased risk.
• php / web: Examine access logs for requests to /editar-fornecedor.php containing suspicious characters or patterns in the 'cidade' parameter.
grep 'cidade=[^a-zA-Z0-9 ]+' /var/log/apache2/access.log• php / web: Review the source code of /editar-fornecedor.php for inadequate input validation or output encoding of the 'cidade' parameter.
• generic web: Use curl to test the /editar-fornecedor.php endpoint with a simple XSS payload: curl 'http://example.com/editar-fornecedor.php?cidade=<script>alert("XSS")</script>' and observe the response for script execution.
disclosure
Statut de l'Exploit
EPSS
0.14% (percentile 35%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-11996 is to upgrade Farmacia to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'cidade' parameter within the /editar-fornecedor.php file. This can help prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the 'cidade' parameter and confirming that it is properly sanitized or blocked.
Mettez à jour l'application Farmacia vers une version corrigée qui corrige la vulnérabilité XSS dans le fichier editar-fornecedor.php. Validez et échappez correctement les entrées utilisateur, en particulier le paramètre 'cidade', pour prévenir l'injection de code malveillant. Examinez également d'autres paramètres pour d'éventuelles vulnérabilités similaires.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-11996 is a cross-site scripting (XSS) vulnerability in Farmacia version 1.0, affecting the /editar-fornecedor.php file. It allows attackers to inject malicious scripts via the 'cidade' parameter.
Yes, if you are using Farmacia version 1.0, you are vulnerable to this XSS attack. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade Farmacia to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'cidade' parameter.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the Farmacia project's official website or repository for the advisory related to CVE-2024-11996.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.