प्लेटफ़ॉर्म
php
घटक
simple-online-hotel-reservation-system
में ठीक किया गया
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Simple Online Hotel Reservation System versions 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and stealing sensitive information. The vulnerability resides in the add_reserve.php file, specifically within the handling of the Firstname/Lastname parameters. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-0504 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Simple Online Hotel Reservation System. This can lead to various malicious actions, including session hijacking, redirection to phishing sites, and the theft of sensitive data such as login credentials or personal information. The attack is remotely exploitable, meaning an attacker does not need to be on the same network as the vulnerable system. The blast radius is limited to users interacting with the 'Make a Reservation Page' and submitting data through the add_reserve.php script.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation in the wild. It was published on 2024-01-13. No active campaigns or KEV listing are currently associated with this CVE.
Organizations and individuals using the Simple Online Hotel Reservation System version 1.0 are at risk. This includes small businesses, hotels, and any entity relying on this system for online reservations. Shared hosting environments where multiple websites share the same server resources are particularly vulnerable, as a compromise of one website could potentially impact others.
• php / web:
grep -r '<script>' /var/www/html/add_reserve.php• generic web:
curl -I http://your-hotel-reservation-system/add_reserve.php?Firstname/Lastname=<script>alert(1)</script>disclosure
एक्सप्लॉइट स्थिति
EPSS
0.06% (19% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2024-0504 is to upgrade to version 1.0.1 of the Simple Online Hotel Reservation System. This version contains a fix that addresses the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Firstname/Lastname parameters within the add_reserve.php file to prevent the injection of malicious scripts. While not a complete solution, this can reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple script tag (e.g., <script>alert(1)</script>) into the Firstname/Lastname fields and verifying that the script is not executed.
Actualice el sistema de reservas de hotel a una versión parcheada que solucione la vulnerabilidad XSS. Como alternativa, filtre y valide adecuadamente las entradas de los campos Firstname y Lastname en el archivo add_reserve.php para evitar la inyección de scripts maliciosos. Implemente también una política de seguridad de contenido (CSP) para mitigar el riesgo de ejecución de scripts no autorizados.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-0504 is a cross-site scripting (XSS) vulnerability in Simple Online Hotel Reservation System versions 1.0, allowing attackers to inject malicious scripts via the Firstname/Lastname parameters.
You are affected if you are using Simple Online Hotel Reservation System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the Firstname/Lastname parameters.
While publicly disclosed, there's no confirmed active exploitation at this time, but a proof-of-concept may be available.
Refer to the vendor's website or security advisories for the most up-to-date information regarding CVE-2024-0504.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।