プラットフォーム
php
修正版
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Simple CRUD Functionality versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts by manipulating the newtitle and newdescr parameters within the /index.php file. The vulnerability is remotely exploitable and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application, and redirection to phishing sites. The attacker could potentially steal sensitive user data, such as cookies or authentication tokens, granting them unauthorized access to the application and its resources. The scope of impact depends on the privileges of the affected user and the sensitivity of the data handled by the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No specific KEV listing or EPSS score is currently available. Public proof-of-concept (POC) code is likely to emerge given the public disclosure. The vulnerability was published on 2024-12-05.
Simple CRUD Functionality deployments, particularly those using older versions (1.0–1.0) and those without robust input validation mechanisms, are at risk. Shared hosting environments where multiple users share the same server and application instance are also particularly vulnerable.
• php / web:
grep -r "newtitle/newdescr" /index.php• generic web:
curl -I http://your-target-url/index.php?newtitle=<script>alert(1)</script>• generic web:
curl -I http://your-target-url/index.php?newdescr=<script>alert(1)</script>disclosure
エクスプロイト状況
EPSS
0.17% (39% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-12232 is to upgrade to version 1.0.1 of Simple CRUD Functionality. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the newtitle and newdescr parameters within the /index.php file to prevent the injection of malicious scripts. Content Security Policy (CSP) can also be implemented to restrict the sources from which scripts can be executed, limiting the impact of a successful XSS attack. Regularly review and update the application's codebase to address potential security vulnerabilities.
Simple CRUD Functionality をアップデートするか、アンインストールしてください。修正バージョンが利用できないため、ソフトウェアを削除するか、/index.php ファイルに手動でパッチを適用して XSS 脆弱性を回避する必要があります。ページに表示する前に、'newtitle' および 'newdescr' 入力を検証およびエスケープしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-12232 is a cross-site scripting (XSS) vulnerability in Simple CRUD Functionality versions 1.0–1.0, allowing attackers to inject malicious scripts via the newtitle and newdescr parameters in /index.php.
If you are using Simple CRUD Functionality versions 1.0 through 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the newtitle and newdescr parameters.
While active exploitation is not confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the project's official channels (e.g., GitHub repository, project website) for the latest advisory and updates regarding CVE-2024-12232.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。