Plateforme
php
Composant
pocs
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Multi Role Login System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts via manipulation of the 'name' argument within the /endpoint/add-user.php file. The vulnerability has been publicly disclosed and poses a risk to user data and system integrity. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-13069 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application. An attacker could potentially steal sensitive user data, redirect users to phishing sites, or compromise the entire application if the user has elevated privileges. The impact is amplified if the application handles sensitive information or integrates with other systems.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant immediate attention. No KEV listing or active exploitation campaigns have been publicly reported as of the time of this writing. Refer to the NVD and CISA advisories for further details.
Organizations utilizing Multi Role Login System version 1.0, particularly those with publicly accessible instances or those handling sensitive user data, are at risk. Shared hosting environments where multiple users share the same server are also at increased risk, as a compromise of one user's account could potentially impact others.
• php / web:
grep -r "/endpoint/add-user.php" /var/www/html/*• php / web:
curl -I http://your-website.com/endpoint/add-user.php?name=<script>alert('XSS')</script>• generic web:
grep -r "name=\"" /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.12% (percentile 31%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-13069 is to immediately upgrade to version 1.0.1 of Multi Role Login System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'name' parameter in /endpoint/add-user.php to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies and procedures to prevent similar vulnerabilities in the future.
Mettre à jour vers une version corrigée ou appliquer le correctif fourni par le fournisseur. Valider et nettoyer les entrées utilisateur, en particulier le paramètre 'name' dans le fichier add-user.php, pour éviter l'injection de code malveillant. Implémenter une politique de sécurité de contenu (CSP) pour atténuer les attaques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-13069 is a cross-site scripting (XSS) vulnerability affecting Multi Role Login System versions 1.0–1.0, allowing attackers to inject malicious scripts through the /endpoint/add-user.php file.
You are affected if you are using Multi Role Login System version 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'name' parameter.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed, increasing the risk of exploitation.
Refer to the vendor's website or security advisories for the official advisory regarding CVE-2024-13069.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.