無料スキャン
LOWCVE-2024-1822CVSS 2.4

PHPGurukul Tourism Management System user-bookings.php cross site scripting

翻訳中…

プラットフォーム

php

コンポーネント

tourism-management-system

修正版

1.0.1

AI Confidence: highNVDEPSS 0.1%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

A problematic cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Tourism Management System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The issue resides in the user-bookings.php file, specifically within the handling of the 'Full Name' parameter. A patch is available in version 1.0.1.

影響と攻撃シナリオ翻訳中…

Successful exploitation of CVE-2024-1822 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This could lead to the theft of sensitive information, such as session cookies, allowing the attacker to impersonate the user. The attacker could also redirect users to malicious websites, deface the application, or inject further malicious content. Given the nature of tourism management systems, data at risk includes user personal information (names, contact details, booking details), potentially financial information if payment processing is integrated, and administrative credentials if the attacker gains access to privileged accounts.

悪用の状況翻訳中…

This vulnerability has been publicly disclosed, and a proof-of-concept may be available. It is not currently listed on CISA KEV. The CVSS score of 2.4 indicates a low severity, suggesting that exploitation is relatively straightforward, but the potential impact can still be significant depending on the sensitivity of the data handled by the Tourism Management System. The vulnerability was published on 2024-02-23.

リスク対象者翻訳中…

Organizations utilizing PHPGurukul Tourism Management System version 1.0, particularly those handling sensitive user data such as personal information and booking details, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a vulnerability in one application could potentially impact others.

検出手順翻訳中…

• php: Examine user-bookings.php for unsanitized input handling of the 'Full Name' parameter. Search for patterns like echo $_POST['Full Name'] or similar without proper escaping.

// Example of vulnerable code
echo $_POST['Full Name'];

• generic web: Monitor access logs for unusual requests to user-bookings.php with suspicious characters in the 'Full Name' parameter (e.g., <script>, <iframe>). • generic web: Check response headers for signs of XSS payloads being injected into the page. • generic web: Use a vulnerability scanner to identify XSS vulnerabilities in the Tourism Management System.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.05% (17% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能no
技術的影響partial

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N2.4LOWAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredHigh攻撃に必要な認証レベルUser InteractionRequired被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityNone機密データ漏洩のリスクIntegrityLow不正データ改ざんのリスクAvailabilityNoneサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
高 — 管理者または特権アカウントが必要。
User Interaction
必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
なし — 機密性への影響なし。
Integrity
低 — 限定的な範囲でデータ変更可能。
Availability
なし — 可用性への影響なし。

影響を受けるソフトウェア

コンポーネントtourism-management-system
ベンダーPHPGurukul
影響範囲修正版
1.0 – 1.01.0.1

弱点分類 (CWE)

CWE-79

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2024-1822 is to immediately upgrade to version 1.0.1 of PHPGurukul Tourism Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Full Name' parameter in user-bookings.php to prevent the injection of malicious scripts. While not a complete solution, a Web Application Firewall (WAF) configured to block XSS payloads targeting the Full Name parameter can provide a temporary layer of protection. Regularly review and update input validation routines throughout the application to prevent similar vulnerabilities.

修正方法翻訳中…

Actualizar a una versión parcheada del sistema de gestión turística PHPGurukul. Si no hay una versión parcheada disponible, sanitizar las entradas del usuario, especialmente el campo 'Full Name' en el archivo user-bookings.php, para evitar la ejecución de código JavaScript malicioso. Implementar validación y codificación de salida para mitigar el riesgo de XSS.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2024-1822 — XSS in PHPGurukul Tourism Management System?

CVE-2024-1822 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Tourism Management System versions 1.0–1.0. It allows attackers to inject malicious scripts via the 'Full Name' parameter, potentially compromising user sessions.

Am I affected by CVE-2024-1822 in PHPGurukul Tourism Management System?

You are affected if you are using PHPGurukul Tourism Management System version 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.

How do I fix CVE-2024-1822 in PHPGurukul Tourism Management System?

The recommended fix is to upgrade to version 1.0.1. If upgrading is not possible, implement input validation and sanitization on the 'Full Name' parameter in user-bookings.php.

Is CVE-2024-1822 being actively exploited?

While there's no confirmed widespread exploitation, the vulnerability has been publicly disclosed, and a proof-of-concept may be available, increasing the risk of exploitation.

Where can I find the official PHPGurukul advisory for CVE-2024-1822?

Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-1822.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索