PHPGurukul ब्लड बैंक और डोनर मैनेजमेंट सिस्टम update-contactinfo.php क्रॉस साइट स्क्रिप्टिंग

An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted Address parameter. When a user with sufficient privileges (likely an administrator) accesses this URL, the injected script will execute in their browser context. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or deface the application's administrative interface. The potential impact extends to sensitive data stored within the Blood Bank & Donor Management System, including donor information and blood inventory details. While the CVSS score is LOW, the potential for privilege escalation within the administrative interface makes this a concerning vulnerability.

Organizations utilizing the PHPGurukul Blood Bank & Donor Management System version 2.4, particularly those with limited security resources or those who haven't implemented robust input validation practices, are at significant risk. Healthcare providers and blood banks relying on this system for managing donor information and blood inventory are especially vulnerable.

• php: Examine the /bbdms/admin/update-contactinfo.php file for unsanitized input handling of the Address parameter. Search for instances where user-supplied data is directly outputted to the HTML without proper encoding.

// Example of vulnerable code (simplified)
<?php
  echo $_GET['Address']; // Vulnerable to XSS
?>

• generic web: Monitor access logs for unusual requests to /bbdms/admin/update-contactinfo.php with suspicious characters in the Address parameter (e.g., <script>, javascript:). • generic web: Check response headers for signs of script injection (e.g., Content-Security-Policy header missing or improperly configured). • generic web: Use a web vulnerability scanner to automatically detect XSS vulnerabilities in the application.

1. 2024-12-27Disclosure

   disclosure

1. आरक्षित2024-12-26
2. प्रकाशित2024-12-27
3. EPSS अद्यतन2026-04-02

The primary mitigation for CVE-2024-12982 is to upgrade to version 2.4.1 of the Blood Bank & Donor Management System. This version includes a fix for the vulnerable parameter handling. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the Address parameter within the /bbdms/admin/update-contactinfo.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) into the Address field and verifying that the script does not execute.