Plateforme
php
Composant
pocs
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Road Accident Map Marker versions 1.0. This flaw resides within the /endpoint/add-mark.php file and allows attackers to inject malicious scripts through manipulation of the mark_name/details argument. Successful exploitation could lead to session hijacking or defacement. The vulnerability has been publicly disclosed and a patch is available in version 1.0.1.
The XSS vulnerability in Road Accident Map Marker allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application is used to collect sensitive user data, as the attacker could potentially intercept this data. Given the public disclosure, the risk of exploitation is elevated.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known active campaigns targeting this specific vulnerability have been reported. The CVE has been assigned and is available on the NVD. While the CVSS score is LOW, the ease of exploitation and potential impact warrant prompt remediation.
Organizations utilizing Road Accident Map Marker version 1.0, particularly those hosting the application on shared hosting environments or with limited security controls, are at increased risk. Applications integrated with Road Accident Map Marker that rely on user-supplied data for mapping functionality are also vulnerable.
• php / web:
grep -r "mark_name/details" /var/www/html/• php / web:
curl -s -X POST -d "mark_name/details=<script>alert('XSS')</script>" http://your-road-accident-map-marker-instance/endpoint/add-mark.php | grep "alert('XSS')"disclosure
Statut de l'Exploit
EPSS
0.16% (percentile 37%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-13021 is to upgrade to version 1.0.1 of Road Accident Map Marker, which includes the necessary fix. If upgrading is not immediately possible, consider implementing input validation and sanitization on the markname/details parameter within the /endpoint/add-mark.php file. Additionally, a Web Application Firewall (WAF) can be configured to block requests containing suspicious JavaScript code in the markname/details parameter. Regularly review and update your WAF rules to ensure they are effective against emerging threats. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the mark_name/details parameter and verifying that it is not executed.
Mettez à jour vers une version corrigée ou désactivez le composant. Validez et échappez les entrées utilisateur dans `/endpoint/add-mark.php` pour éviter l'injection de code XSS. Examinez le code source pour identifier d'autres paramètres vulnérables et appliquez les mesures d'atténuation nécessaires.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-13021 is a cross-site scripting (XSS) vulnerability in Road Accident Map Marker versions 1.0, affecting the /endpoint/add-mark.php file. Attackers can inject malicious scripts through parameter manipulation.
You are affected if you are running Road Accident Map Marker version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the mark_name/details parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2024-13021.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.