Plateforme
php
Composant
simple-admin-panel
Corrigé dans
1.0.1
CVE-2024-12930 identifies a problematic cross-site scripting (XSS) vulnerability discovered in Simple Admin Panel versions 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the c_name argument within the addCatController.php file. Affected users should upgrade to version 1.0.1 to mitigate this risk. The vulnerability was published on December 26, 2024.
The XSS vulnerability in Simple Admin Panel allows an attacker to inject arbitrary JavaScript code into the application. Successful exploitation could lead to session hijacking, defacement of the admin panel, or redirection of users to malicious websites. The attacker would need to craft a malicious request that includes a specially crafted c_name parameter. The impact is amplified if the admin panel is used to manage sensitive data or control critical system functions. While the CVSS score is LOW, the potential for user interaction and subsequent compromise makes this a notable security concern.
CVE-2024-12930 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available as of the publication date. The LOW CVSS score suggests a relatively low probability of active exploitation, but the ease of exploitation inherent in XSS vulnerabilities means that it could become a target for automated scanners and opportunistic attackers. The vulnerability was publicly disclosed on December 26, 2024.
Administrators and users of Simple Admin Panel version 1.0 are at risk. This includes organizations using the panel for internal management tasks, as well as shared hosting environments where the panel is deployed alongside other websites. Any system where the addCatController.php file is accessible via a web browser is potentially vulnerable.
• php / server:
grep -r "c_name" /var/www/simple-admin-panel/• generic web:
curl -I http://your-simple-admin-panel/addCatController.php?c_name=<script>alert(1)</script>disclosure
Statut de l'Exploit
EPSS
0.17% (percentile 38%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-12930 is to upgrade Simple Admin Panel to version 1.0.1, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the cname parameter within the addCatController.php file. This could involve restricting the allowed characters or encoding user-supplied input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious requests containing unusual characters in the cname parameter.
Mettez à jour vers une version corrigée ou appliquez les mesures de sécurité nécessaires pour éviter l'injection de code malveillant via le paramètre c_name dans le fichier addCatController.php. Validez et échappez les entrées utilisateur pour prévenir les attaques XSS (Cross-Site Scripting). Envisagez de désactiver ou de supprimer le composant si la mise à jour n'est pas possible.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-12930 is a cross-site scripting vulnerability affecting Simple Admin Panel version 1.0, allowing attackers to inject malicious scripts via the c_name parameter in addCatController.php.
Yes, if you are using Simple Admin Panel version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to resolve the issue.
Upgrade Simple Admin Panel to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the c_name parameter.
While there is no confirmed active exploitation, the ease of exploitation inherent in XSS vulnerabilities means it could become a target.
Refer to the Simple Admin Panel project's official website or repository for the advisory and release notes for version 1.0.1.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.