प्लेटफ़ॉर्म
php
घटक
skid-nochizplz
में ठीक किया गया
1.0.1
CVE-2024-2523 describes a problematic cross-site scripting (XSS) vulnerability discovered in the Online-College-Event-Hall-Reservation-System version 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability affects the /admin/booktime.php file and is exploitable remotely. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-2523 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online-College-Event-Hall-Reservation-System. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive administrative functions if they target an administrator's session. The impact is amplified if the system is used to manage sensitive student or event data, as attackers could potentially modify or steal this information.
This vulnerability has been publicly disclosed and is tracked as VDB-256960. The vendor was contacted but did not respond. As of the public disclosure date, there are no known active exploitation campaigns targeting this vulnerability. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public availability of the vulnerability means it should be addressed promptly.
Administrators and users with access to the /admin/booktime.php page are at the highest risk. Organizations using the Online-College-Event-Hall-Reservation-System in environments with limited security controls or those that have not implemented proper input validation are particularly vulnerable. Shared hosting environments where multiple users share the same server resources are also at increased risk.
• php: Examine /admin/booktime.php for unsanitized user input handling the 'id' parameter. Search for instances where user input is directly outputted to the HTML without proper encoding.
// Example of vulnerable code
<?php
echo $_GET['id']; // Vulnerable to XSS
?>• generic web: Monitor access logs for unusual requests to /admin/booktime.php with suspicious parameters in the 'id' field. Look for patterns indicative of XSS attempts.
• generic web: Check response headers for signs of XSS payloads being reflected in the HTML content. Use browser developer tools to inspect the DOM for unexpected script tags.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.09% (26% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2024-2523 is to upgrade to version 1.0.1 of the Online-College-Event-Hall-Reservation-System. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'id' parameter in /admin/booktime.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'id' parameter and confirming that the script is not executed.
Actualice el sistema Online-College-Event-Hall-Reservation-System a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, filtre y escape adecuadamente la entrada del parámetro 'id' en el archivo /admin/booktime.php para evitar la inyección de código malicioso.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-2523 is a cross-site scripting (XSS) vulnerability in the Online-College-Event-Hall-Reservation-System allowing attackers to inject malicious scripts via the 'id' parameter in /admin/booktime.php.
You are affected if you are using Online-College-Event-Hall-Reservation-System version 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'id' parameter in /admin/booktime.php.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
The vendor has not released an official advisory. Refer to the VDB entry (VDB-256960) for details.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।