प्लेटफ़ॉर्म
php
घटक
online-food-ordering-system
में ठीक किया गया
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in CodeAstro Online Food Ordering System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and system integrity. The vulnerability resides within the dishes.php file, specifically in the handling of the res_id argument. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-0423 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the website, and redirection to phishing sites. An attacker could steal sensitive user information, such as login credentials or payment details, if the user interacts with the malicious script. The impact is amplified if the system handles sensitive data or processes financial transactions, as the attacker could gain access to critical information and potentially manipulate the application's behavior.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of a public proof-of-concept suggests that attackers may begin targeting vulnerable systems. The vulnerability was added to the VDB with identifier VDB-250442.
Organizations utilizing CodeAstro Online Food Ordering System version 1.0 for their online food ordering services are at risk. This includes restaurants, cafes, and other food vendors who rely on this system to manage orders and customer interactions. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one website could potentially impact others.
• php / web:
grep -r 'res_id' /var/www/html/dishes.php | grep -i '<script' • generic web:
curl -I 'http://your-website.com/dishes.php?res_id=<script>alert(1)</script>' • generic web:
grep -A 10 'res_id' /var/log/apache2/access.log | grep '<script' disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.15% (35% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2024-0423 is to upgrade to CodeAstro Online Food Ordering System version 1.0.1 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the res_id parameter in dishes.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Thoroughly review and sanitize all user inputs to prevent malicious code injection.
Actualizar a una versión parcheada o aplicar la corrección proporcionada por el proveedor. Validar y limpiar las entradas del usuario, especialmente el parámetro 'res_id' en el archivo 'dishes.php', para evitar la inyección de código malicioso. Implementar una política de seguridad de contenido (CSP) para mitigar los ataques XSS.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-0423 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Online Food Ordering System versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'res_id' parameter in dishes.php.
You are affected if you are using CodeAstro Online Food Ordering System version 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to CodeAstro Online Food Ordering System version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
While no active exploitation campaigns have been confirmed, the vulnerability is publicly disclosed and a proof-of-concept exists, increasing the risk of exploitation.
Refer to the vendor's advisory or security bulletin for CodeAstro Online Food Ordering System for detailed information and updates regarding CVE-2024-0423.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।