プラットフォーム
php
修正版
1.0.1
CVE-2024-11246 describes a problematic cross-site scripting (XSS) vulnerability discovered in Farmacia version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability impacts the /adicionar-cliente.php file and is triggered by manipulating parameters such as 'nome', 'cpf', and 'dataNascimento'. A patch is available in version 1.0.1.
An attacker can exploit this XSS vulnerability by crafting malicious URLs containing JavaScript code within the vulnerable parameters. When a user visits these URLs, the injected script executes in their browser context, allowing the attacker to steal cookies, redirect the user to a phishing site, or modify the content of the page. The impact can range from minor annoyance to complete account compromise, depending on the attacker's skill and the privileges of the affected user. Given the public disclosure of this vulnerability, it is likely that automated scanners are actively probing for vulnerable instances of Farmacia.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and the potential impact warrant immediate attention. No active exploitation campaigns have been publicly confirmed as of the publication date, but the availability of a public advisory suggests that attackers are likely to be actively scanning for vulnerable systems. It was added to the NVD on 2024-11-15.
Small businesses and organizations utilizing Farmacia 1.0 for customer management are at significant risk. Shared hosting environments where Farmacia is installed are particularly vulnerable, as a compromised account on one site can potentially impact others. Users who haven't implemented robust input validation practices are also more susceptible to exploitation.
• wordpress / composer / npm:
grep -r "nome|cpf|dataNascimento" /var/www/farmacia/adicionar-cliente.php• generic web:
curl -I http://your-farmacia-instance.com/adicionar-cliente.php?nome=<script>alert(1)</script>disclosure
patch
エクスプロイト状況
EPSS
0.15% (36% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-11246 is to upgrade Farmacia to version 1.0.1, which includes the necessary fix. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /adicionar-cliente.php page to sanitize user-supplied data. Web application firewalls (WAFs) can also be configured to detect and block malicious requests containing XSS payloads. Regularly review and update security rules to address emerging threats.
Actualice la aplicación Farmacia a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión parcheada disponible, revise y filtre las entradas de los parámetros 'nome', 'cpf' y 'dataNascimento' en el archivo /adicionar-cliente.php para evitar la inyección de código malicioso.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-11246 is a cross-site scripting (XSS) vulnerability in Farmacia version 1.0, affecting the /adicionar-cliente.php file. Attackers can inject malicious scripts via parameters like 'nome', 'cpf', and 'dataNascimento.'
If you are running Farmacia version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk. Check your installation for the vulnerable file.
Upgrade Farmacia to version 1.0.1. If immediate upgrade isn't possible, implement input validation and output encoding on /adicionar-cliente.php.
While no confirmed active exploitation campaigns are publicly known, the vulnerability is publicly disclosed, increasing the likelihood of exploitation. Automated scanners are likely probing for vulnerable instances.
Refer to the Farmacia project's official advisory for detailed information and updates regarding CVE-2024-11246. Check their website or relevant security channels.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。