Plateforme
php
Composant
online-job-portal
Corrigé dans
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Job Portal versions 1.0. This flaw resides within the Manage Job Page, specifically the /Employer/ManageJob.php file. Attackers can exploit this by manipulating the Qualification/Description argument, potentially leading to malicious script execution. The vulnerability has been publicly disclosed and a patch is available in version 1.0.1.
Successful exploitation of CVE-2024-1922 allows an attacker to inject arbitrary JavaScript code into the Online Job Portal. This could be used to steal user credentials (usernames, passwords, session cookies), redirect users to malicious websites, or deface the job portal's pages. The impact is amplified if the portal handles sensitive user data, such as resumes or personal information. While the CVSS score is LOW, the ease of exploitation and potential for data theft make this a significant concern, particularly for portals with a large user base or those handling confidential information. The public disclosure increases the risk of immediate exploitation.
This vulnerability has been publicly disclosed, and the identifier VDB-254857 has been assigned. The exploit is considered relatively straightforward, increasing the likelihood of exploitation. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public availability of the vulnerability makes it a potential target for opportunistic attackers. It is not listed on the CISA KEV catalog.
Organizations and individuals using SourceCodester Online Job Portal version 1.0 are at risk. This includes small businesses, startups, and job boards that rely on this platform for managing job postings and applicant information. Shared hosting environments where multiple users share the same server are particularly vulnerable, as an attacker could potentially compromise other users' accounts through this vulnerability.
• php: Examine the /Employer/ManageJob.php file for unsanitized input handling of the Qualification/Description parameter. Search for instances where user input is directly outputted to the page without proper encoding.
// Example of vulnerable code
<?php
echo $_GET['Qualification']; ?>• generic web: Monitor access logs for unusual GET requests to /Employer/ManageJob.php with suspicious parameters in the Qualification/Description field. Look for patterns indicative of XSS payloads (e.g., <script>, javascript:).
grep 'Qualification=[^>]+script[^<]' access.log• generic web: Check response headers for the presence of X-XSS-Protection or Content-Security-Policy headers. Absence of these headers indicates a lack of XSS protection. • generic web: Use a web vulnerability scanner to automatically identify and test for XSS vulnerabilities in the Online Job Portal.
disclosure
patch
Statut de l'Exploit
EPSS
0.14% (percentile 34%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-1922 is to immediately upgrade to version 1.0.1 of SourceCodester Online Job Portal. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Qualification/Description field to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update the job portal's code to prevent future vulnerabilities. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into the Qualification/Description field and verifying that it is not executed.
Actualizar a una versión parcheada del software. Si no hay una versión parcheada disponible, sanitizar las entradas de usuario en los campos 'Qualification' y 'Description' en el archivo `/Employer/ManageJob.php` para prevenir la ejecución de código JavaScript malicioso.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-1922 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Job Portal versions 1.0. It allows attackers to inject malicious scripts via the Manage Job Page.
Yes, if you are using SourceCodester Online Job Portal version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 of SourceCodester Online Job Portal. As a temporary workaround, implement input validation and output encoding.
While no active campaigns have been confirmed, the public disclosure of the vulnerability increases the risk of exploitation. Vigilance and prompt patching are crucial.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-1922.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.