Plateforme
php
Composant
chat-system
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Chat System version 1.0. This flaw resides within the /admin/chatroom.php file and allows attackers to inject malicious scripts through manipulation of the 'id' argument. Affected versions are 1.0. A patch is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2024-13033 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Chat System application. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the administrative interface. An attacker could potentially gain access to sensitive user data stored within the Chat System, or leverage the compromised account to perform further malicious actions within the network. The impact is particularly severe given the vulnerability's accessibility via a remote attack.
This vulnerability has been publicly disclosed. While the CVSS score is LOW, the ease of exploitation and potential impact on administrative functions warrant prompt attention. No active exploitation campaigns have been publicly reported as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog.
Administrators of Chat System installations, particularly those using version 1.0, are at significant risk. Shared hosting environments where multiple users share the same Chat System instance are also vulnerable, as a compromised account could potentially impact other users.
• php / web:
curl -I 'http://your-chat-system/admin/chatroom.php?id=<script>alert(1)</script>' | grep -i 'content-type'• php / web:
grep -r 'id=' /var/www/html/admin/chatroom.php• generic web:
grep -r 'id=' /var/log/apache2/access.logdisclosure
patch
Statut de l'Exploit
EPSS
0.13% (percentile 32%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-13033 is to immediately upgrade Chat System to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'id' parameter within the /admin/chatroom.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured with rules to detect and block XSS payloads targeting the 'id' parameter can provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'id' parameter and verifying that the script is not executed.
Actualice a una versión parcheada o implemente medidas de sanitización de entrada en el archivo /admin/chatroom.php para evitar la ejecución de código XSS. Valide y escape las entradas del parámetro 'id' antes de usarlas en el código HTML.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-13033 is a cross-site scripting (XSS) vulnerability in Chat System version 1.0, affecting the /admin/chatroom.php file. Attackers can inject malicious scripts by manipulating the 'id' argument.
If you are running Chat System version 1.0, you are potentially affected. Upgrade to version 1.0.1 or later to mitigate the vulnerability.
The recommended fix is to upgrade Chat System to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'id' parameter.
No active exploitation campaigns have been publicly reported as of the publication date, but the vulnerability is publicly disclosed and may be exploited.
Refer to the Chat System project's official website or repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.