Plateforme
php
Composant
land-record-system
Corrigé dans
1.0.1
CVE-2024-13077 is a problematic cross-site scripting (XSS) vulnerability identified in PHPGurukul Land Record System versions 1.0 through 1.0. This vulnerability resides within the /admin/add-property.php file and can be exploited through manipulation of the Land Subtype argument. A patch is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2024-13077 allows an attacker to inject malicious scripts into the Land Record System's web interface. This can lead to various consequences, including session hijacking, defacement of the administrative panel, and redirection of users to malicious websites. The attacker could potentially steal sensitive information, such as user credentials or property data, depending on the level of access granted to the compromised account. Given the administrative context of /admin/add-property.php, the impact could be significant if an administrator's session is compromised.
CVE-2024-13077 has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to this specific vulnerability, the availability of public information makes it a potential target for opportunistic attackers. The exploit's simplicity suggests a relatively low barrier to entry for exploitation. The vulnerability was added to the NVD on 2024-12-31.
Organizations utilizing PHPGurukul Land Record System version 1.0 are at risk. Specifically, those with publicly accessible administrative interfaces or those who haven't implemented robust input validation measures are particularly vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk.
• php: Examine the /admin/add-property.php file for unsanitized input handling of the 'Land Subtype' parameter.
• generic web: Monitor access logs for requests to /admin/add-property.php with unusual or suspicious values in the Land Subtype parameter. Use curl to test the endpoint with various payloads: curl 'http://example.com/admin/add-property.php?Land%20Subtype=<script>alert("XSS")</script>'
• generic web: Check response headers for Content-Security-Policy (CSP) directives that could mitigate XSS attacks. curl -I http://example.com/admin/add-property.php
disclosure
Statut de l'Exploit
EPSS
0.13% (percentile 32%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-13077 is to upgrade PHPGurukul Land Record System to version 1.0.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Land Subtype field to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /admin/add-property.php endpoint can provide an additional layer of protection. Regularly review and update input validation routines to prevent future XSS vulnerabilities.
Mettez à jour vers une version corrigée ou appliquez les mesures de sécurité nécessaires pour éviter l'exécution de code XSS. Validez et échappez les entrées utilisateur, en particulier le paramètre 'Land Subtype' dans le fichier add-property.php. Envisagez de mettre en œuvre une politique de sécurité de contenu (CSP) pour atténuer les attaques XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-13077 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /admin/add-property.php file.
Yes, if you are running PHPGurukul Land Record System version 1.0, you are affected by this XSS vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to PHPGurukul Land Record System version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the Land Subtype field.
While no confirmed active campaigns have been reported, the public disclosure of the vulnerability increases the likelihood of exploitation by opportunistic attackers.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-13077 and the Land Record System.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.