プラットフォーム
php
コンポーネント
house-rental-management-system
修正版
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester House Rental Management System versions 1.0. This vulnerability impacts the Manage Invoice Details component, enabling attackers to inject malicious scripts through manipulation of the Invoice argument. Affected users should upgrade to version 1.0.1 to resolve this issue.
Successful exploitation of CVE-2024-0501 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to session hijacking, credential theft, and defacement of the application. An attacker could potentially steal sensitive information like rental agreements, payment details, or user accounts. The impact is primarily client-side, but could be amplified if the application handles sensitive data or integrates with other systems.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The VDB identifier VDB-250609 has been assigned. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant prompt remediation. No active exploitation campaigns have been publicly reported as of the publication date.
Organizations and individuals utilizing the House Rental Management System version 1.0, particularly those handling sensitive tenant or financial data, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromised application could potentially impact other tenants.
• wordpress / composer / npm:
grep -r "Invoice\s*=\s*([^"]+)" /var/www/html/house-rental-management-system/*• generic web:
curl -I http://your-house-rental-system.com/manage_invoice_details.php?Invoice=<script>alert(1)</script>disclosure
エクスプロイト状況
EPSS
0.06% (17% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2024-0501 is to upgrade to version 1.0.1 of the House Rental Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Invoice argument to prevent malicious script injection. Web application firewalls (WAFs) with XSS filtering rules can also provide a temporary layer of protection. Regularly review and sanitize user-supplied input to minimize the risk of XSS vulnerabilities.
Actualizar a una versión parcheada del sistema de gestión de alquileres. Si no hay una versión disponible, sanitizar las entradas del usuario, especialmente el parámetro 'Invoice', para evitar la ejecución de código JavaScript malicioso. Implementar validación y codificación de salida para prevenir ataques XSS.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-0501 is a cross-site scripting (XSS) vulnerability affecting SourceCodester House Rental Management System version 1.0, allowing attackers to inject malicious scripts.
You are affected if you are using House Rental Management System version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary measure, implement input validation and output encoding on the Invoice argument.
No active exploitation campaigns have been publicly reported, but the vulnerability is publicly disclosed and a proof-of-concept may be available.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2024-0501.