Plateforme
php
Composant
bhojon-best-restaurant-management-software
Corrigé dans
2.9.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Bdtask Bhojon Best Restaurant Management Software versions 2.9. This vulnerability impacts the processing of files within the /dashboard/message component, specifically allowing manipulation of the Title argument. Successful exploitation could lead to malicious script execution within a user's browser, potentially compromising sensitive data. The vulnerability is fixed in version 2.9.1.
This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the Bhojon Best Restaurant Management Software application. An attacker could leverage this to steal user session cookies, redirect users to malicious websites, or deface the application's interface. The impact is amplified if the application is used to manage sensitive customer data or financial transactions, as an attacker could potentially gain access to this information. The vulnerability's location within the message page suggests that it could be exploited through crafted messages or comments, potentially affecting a wide range of users.
This vulnerability was publicly disclosed on February 22, 2024, and has been assigned identifier VDB-254531. The vendor was contacted but did not respond. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation. However, the public availability of the vulnerability and the ease of exploitation warrant immediate attention. No active exploitation campaigns have been publicly reported at the time of this writing.
Restaurants and businesses utilizing Bhojon Best Restaurant Management Software version 2.9 are at risk. This includes establishments relying on the software for online ordering, table management, and customer communication. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one website could potentially impact others.
• generic web: Use curl to test the /dashboard/message endpoint with a malicious payload in the Title parameter. Examine the response for signs of script execution.
curl 'http://<target>/dashboard/message?Title=<script>alert("XSS")</script>'• generic web: Check access and error logs for suspicious requests targeting the /dashboard/message endpoint with unusual parameters.
• php: Examine the application's source code for the /dashboard/message endpoint to identify potential vulnerabilities in input validation and sanitization.
• php: Monitor PHP error logs for any errors related to script execution or unexpected behavior.
disclosure
patch
Statut de l'Exploit
EPSS
0.13% (percentile 33%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-1749 is to upgrade to Bhojon Best Restaurant Management Software version 2.9.1 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Title argument within the /dashboard/message endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la inyección de código malicioso a través del campo 'Title' en la página de mensajes. Validar y limpiar las entradas del usuario es crucial. Si no hay una versión parcheada disponible, considere deshabilitar o eliminar la funcionalidad vulnerable hasta que se publique una solución.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-1749 is a cross-site scripting (XSS) vulnerability affecting Bhojon Best Restaurant Management Software 2.9, allowing attackers to inject malicious scripts via the /dashboard/message endpoint.
If you are using Bhojon Best Restaurant Management Software version 2.9, you are potentially affected by this vulnerability. Upgrade to version 2.9.1 or later to mitigate the risk.
The recommended fix is to upgrade to Bhojon Best Restaurant Management Software version 2.9.1 or later. Consider input validation as a temporary workaround if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly reported, the vulnerability is publicly disclosed and may be exploited. Prompt patching is recommended.
Refer to the Bhojon Best Restaurant Management Software website or their official communication channels for the latest advisory regarding CVE-2024-1749.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.