प्लेटफ़ॉर्म
php
घटक
simple-student-result-management-system
में ठीक किया गया
5.6.1
CVE-2024-1022 is a problematic cross-site scripting (XSS) vulnerability identified in the Simple Student Result Management System. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability affects versions 5.6 of the system and is resolved in version 5.6.1. Public disclosure has already occurred, increasing the risk of exploitation.
An attacker can exploit this XSS vulnerability by injecting malicious JavaScript code into the 'Class Name' parameter within the /add_classes.php file. When a user views the page containing the injected script, their browser will execute the attacker's code. This could lead to session hijacking, redirection to phishing sites, or defacement of the application. The impact is amplified if the application is used by multiple users or handles sensitive data, as a successful attack could compromise a large number of accounts. While the CVSS score is LOW, the ease of exploitation and potential for user compromise should not be underestimated.
This vulnerability has been publicly disclosed, and a proof-of-concept may be available. Its inclusion in VDB-252291 indicates a level of public awareness and potential for exploitation. The LOW CVSS score suggests that exploitation may require specific user interaction or a targeted attack, but the ease of injecting the payload could lower the barrier to entry for less sophisticated attackers. No active campaigns or KEV listing are currently associated with this CVE.
Educational institutions and organizations utilizing the Simple Student Result Management System for managing student data are at risk. Specifically, those running version 5.6 without proper input validation or a WAF are particularly vulnerable. Shared hosting environments where multiple users share the same server resources could experience wider impact if one user's account is compromised.
• php / web:
grep -r "<script" /var/www/html/add_classes.php• php / web:
curl -I http://your-server/add_classes.php?Class+Name=<script>alert('XSS')</script>• generic web:
curl -I http://your-server/add_classes.php?Class+Name=<script>alert('XSS')</script> | grep -i 'x-xss-protection'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.10% (28% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2024-1022 is to upgrade to version 5.6.1 of the Simple Student Result Management System. If upgrading immediately is not possible, implement input validation and sanitization on the 'Class Name' parameter within /add_classes.php to prevent the injection of malicious scripts. Consider using a Web Application Firewall (WAF) with XSS filtering rules to block suspicious requests. Regularly review and update the application's security configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the 'Class Name' field and verifying that it is properly sanitized.
Actualizar a una versión parcheada o aplicar una solución que filtre y escape correctamente las entradas del usuario en el archivo add_classes.php, específicamente el parámetro Class Name, para prevenir ataques XSS. Validar y limpiar las entradas del usuario es crucial. Si no hay una versión parcheada disponible, considere deshabilitar o eliminar la funcionalidad vulnerable hasta que se pueda aplicar una solución.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-1022 is a cross-site scripting vulnerability affecting versions 5.6 of the Simple Student Result Management System, allowing attackers to inject malicious scripts via the /add_classes.php file.
You are affected if you are using Simple Student Result Management System version 5.6. Upgrade to version 5.6.1 to mitigate the risk.
Upgrade to version 5.6.1. If immediate upgrade isn't possible, implement input validation and sanitization on the 'Class Name' parameter and consider using a WAF.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed and may be targeted by attackers. Vigilance and prompt mitigation are recommended.
Refer to the vendor's official advisory or security bulletin for the Simple Student Result Management System for detailed information and updates regarding CVE-2024-1022.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।