प्लेटफ़ॉर्म
php
घटक
employee-management-system---stored-xss
में ठीक किया गया
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Employee Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating parameters within the edit-profile.php file. A patch is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2024-1010 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to session hijacking, credential theft, or redirection to malicious websites. The attacker could potentially gain access to sensitive employee data stored within the system, including personal information, contact details, and potentially financial records. The blast radius is limited to users interacting with the affected edit-profile.php page.
This vulnerability is publicly disclosed and documented in VDB-252279. No active exploitation campaigns or proof-of-concept exploits have been widely reported as of the publication date (2024-01-29). The CVSS score of 3.5 indicates a low severity, suggesting a relatively low probability of exploitation without significant attacker effort.
Organizations utilizing SourceCodester Employee Management System, particularly those with limited security controls or those who haven't implemented robust input validation practices, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially impact others.
• php / web:
grep -r "fullname|phone|date of birth|address|date of appointment" /var/www/html/employee_management_system/• generic web:
curl -I http://your-employee-management-system/edit-profile.php?fullname=<script>alert(1)</script>disclosure
एक्सप्लॉइट स्थिति
EPSS
0.20% (42% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2024-1010 is to immediately upgrade to version 1.0.1 of the Employee Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the fullname, phone, date of birth, address, and date of appointment parameters within the edit-profile.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the affected parameter.
Actualice a una versión parcheada del sistema de gestión de empleados. Si no hay una versión disponible, revise y filtre las entradas de los campos fullname, phone, date of birth, address y date of appointment en el archivo edit-profile.php para evitar la inyección de código malicioso. Implemente validación y sanitización de datos en el lado del servidor.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-1010 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Employee Management System versions 1.0–1.0, allowing attackers to inject malicious scripts through parameter manipulation in edit-profile.php.
You are affected if you are using SourceCodester Employee Management System version 1.0 or 1.0. Check your version and upgrade immediately.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the affected parameters.
No active exploitation campaigns have been widely reported as of the publication date, but the vulnerability is publicly known and could be targeted.
Refer to the VDB entry VDB-252279 for details on this vulnerability.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।