1.0.1
CVE-2024-11997 describes a problematic cross-site scripting (XSS) vulnerability discovered in Farmacia version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability specifically targets the /vendas.php file, where manipulation of the notaFiscal argument can trigger the XSS. A patch is available in version 1.0.1.
An attacker can exploit this XSS vulnerability to execute arbitrary JavaScript code within the context of a user's browser session. This could lead to the theft of sensitive information, such as session cookies, login credentials, or personally identifiable information (PII). Furthermore, an attacker could redirect users to malicious websites, deface the application, or launch further attacks against the user's system. The remote nature of the exploit means that an attacker does not need to be on the same network as the vulnerable application to exploit it.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant prompt remediation. No known active campaigns or KEV listing at the time of writing. Public proof-of-concept code is likely to emerge given the public disclosure.
Users of Farmacia version 1.0 are directly at risk. Shared hosting environments where Farmacia is installed alongside other applications could also be affected, as a successful exploit could potentially compromise the entire hosting account. Administrators should review all instances of Farmacia to ensure they are patched.
• generic web:
curl -I https://your-farmacia-instance.com/vendas.php?notaFiscal=<script>alert('XSS')</script>• generic web:
grep -r 'notaFiscal' /var/log/apache2/access.log | grep '<script>' # Check for suspicious requestsdisclosure
エクスプロイト状況
EPSS
0.14% (35% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-11997 is to upgrade Farmacia to version 1.0.1, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and sanitization on the notaFiscal parameter in /vendas.php to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Carefully review and update any existing WAF rules to specifically target XSS patterns related to parameter manipulation.
Actualizar o parchear la aplicación Farmacia a una versión que corrija la vulnerabilidad XSS en el archivo /vendas.php. Validar y sanitizar la entrada del argumento notaFiscal para evitar la inyección de código malicioso. Si no hay actualizaciones disponibles, implementar medidas de seguridad adicionales, como el filtrado de entrada y la codificación de salida.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-11997 is a cross-site scripting (XSS) vulnerability in Farmacia version 1.0, allowing attackers to inject malicious scripts via the notaFiscal parameter in /vendas.php.
Yes, if you are using Farmacia version 1.0, you are affected by this vulnerability and should upgrade immediately.
Upgrade Farmacia to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the notaFiscal parameter.
While no active campaigns are confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the Farmacia project's official website or repository for the advisory related to CVE-2024-11997.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。