Plateforme
php
Composant
cveproject
Corrigé dans
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Simple Student Attendance System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and sensitive data. The vulnerability resides in the handling of the classdate parameter within the ?page=attendance&classid=1 endpoint. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-1834 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious activities, including session hijacking, credential theft, and defacement of the application's user interface. An attacker could potentially steal user login credentials or redirect users to phishing sites. The impact is amplified if the application is used to manage sensitive student data, as this data could be exposed or modified.
This vulnerability has been publicly disclosed and a proof-of-concept exploit is likely available. The VDB identifier VDB-254625 has been assigned. Given the public disclosure and ease of exploitation, it's crucial to prioritize patching. No KEV listing or active exploitation campaigns are currently reported as of the publication date.
Educational institutions and organizations utilizing the Simple Student Attendance System are at risk, particularly those running version 1.0. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially impact others.
• php: Examine application logs for suspicious requests containing <script> tags or other XSS payloads in the classdate parameter. Use grep to search for patterns like classdate=.<script.> in access logs.
grep 'class_date=.*<script.*' /var/log/apache2/access.log• generic web: Use curl to test the vulnerable endpoint with a simple XSS payload:
curl 'http://example.com/?page=attendance&class_id=1&class_date=2024-02-23%22%3E%3Cscript%3Ealert(1)%3C/script%3E'Inspect the response for the alert(1) popup.
disclosure
Statut de l'Exploit
EPSS
0.22% (percentile 45%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-1834 is to upgrade to version 1.0.1 of the Simple Student Attendance System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the class_date parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update the application's security configuration to minimize the attack surface.
Actualizar a una versión parcheada del sistema Simple Student Attendance System. Si no hay una versión parcheada disponible, se recomienda validar y escapar correctamente las entradas del usuario, especialmente el parámetro `class_date`, para prevenir la ejecución de código JavaScript malicioso. Considere deshabilitar temporalmente la funcionalidad afectada hasta que se pueda aplicar una solución.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-1834 is a cross-site scripting (XSS) vulnerability affecting Simple Student Attendance System versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are using Simple Student Attendance System version 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the class_date parameter.
While active exploitation is not currently confirmed, the vulnerability has been publicly disclosed and a proof-of-concept is likely available, increasing the risk of exploitation.
Refer to the vendor's website or security advisories for the latest information and official announcements regarding CVE-2024-1834.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.