प्लेटफ़ॉर्म
php
घटक
land-record-system
में ठीक किया गया
1.0.1
CVE-2024-13075 is a problematic cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. A fix is available in version 1.0.1, and the vulnerability details have been publicly disclosed.
The XSS vulnerability in Land Record System allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited by crafting a malicious URL or injecting code through user input fields, specifically the 'Land Property Type' parameter in the /admin/add-propertytype.php file. Successful exploitation could allow an attacker to steal user session cookies, redirect users to phishing sites, or modify the content of the web page displayed to other users. The impact is amplified if the application is used to manage sensitive land records, as an attacker could potentially alter or view confidential information.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported at the time of writing, but the public disclosure makes it a potential target for opportunistic attackers. The vulnerability was published on 2024-12-31.
Organizations using PHPGurukul Land Record System version 1.0, particularly those handling sensitive land records, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially lead to the compromise of other users' accounts.
• php: Examine the /admin/add-propertytype.php file for unsanitized user input handling. Search for instances where the 'Land Property Type' parameter is directly outputted to the page without proper encoding.
• generic web: Monitor access logs for suspicious requests to /admin/add-propertytype.php with unusual parameters in the 'Land Property Type' field.
• generic web: Use curl to test the endpoint with various payloads: curl 'http://your-land-record-system/admin/add-propertytype.php?Land Property Type=<script>alert("XSS")</script>'
• generic web: Check response headers for the presence of X-XSS-Protection or Content-Security-Policy headers, which can mitigate XSS attacks.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.13% (32% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-13075 is to upgrade to version 1.0.1 of PHPGurukul Land Record System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'Land Property Type' field in /admin/add-propertytype.php to sanitize user input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update the application's codebase to address potential security vulnerabilities.
एक पैच किए गए संस्करण में अपडेट करें या 'Land Property Type' फ़ील्ड के माध्यम से दुर्भावनापूर्ण कोड इंजेक्शन को रोकने के लिए आवश्यक सुरक्षा उपाय लागू करें फ़ाइल /admin/add-propertytype.php में। XSS हमलों को रोकने के लिए सर्वर-साइड इनपुट सत्यापन और सैनिटाइजेशन लागू करें। आउटपुट डेटा के लिए संदर्भ-विशिष्ट एस्केप फ़ंक्शन का उपयोग करने पर विचार करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-13075 is a cross-site scripting (XSS) vulnerability in PHPGurukul Land Record System versions 1.0 through 1.0, allowing attackers to inject malicious scripts.
You are affected if you are using PHPGurukul Land Record System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. If immediate upgrade is not possible, implement input validation and output encoding.
While no active campaigns are currently confirmed, the public disclosure increases the risk of exploitation.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-13075.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।