プラットフォーム
php
コンポーネント
online-exam-mastering-system
修正版
1.0.1
CVE-2024-12892 describes a cross-site scripting (XSS) vulnerability discovered in the Online Exam Mastering System. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability affects versions 1.0 through 1.0 of the system and has been resolved in version 1.0.1.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing specially crafted parameters (name, gender, or college) within the /sign.php?q=account.php endpoint. When a user visits this crafted URL, the attacker's script will execute in the user's browser context. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page. The potential impact is limited to the user's browser session and does not provide direct server-side access. However, successful exploitation could compromise sensitive user data or disrupt the online exam process.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on user data warrant attention. No active exploitation campaigns have been publicly reported at the time of this writing. The vulnerability is not currently listed on the CISA KEV catalog.
Educational institutions and organizations using the Online Exam Mastering System for online assessments are at risk. Specifically, those running version 1.0 of the system are vulnerable. Shared hosting environments where multiple users share the same server instance could also be affected, as a compromised user account could potentially be used to launch attacks against other users.
• php / web:
curl -I 'http://your-target-domain.com/sign.php?q=account.php?name=<script>alert(1)</script>' | grep -i 'content-type'• php / web: Examine the source code of /sign.php for missing or inadequate input validation on the name, gender, and college parameters.
• generic web: Monitor web server access logs for unusual requests to /sign.php?q=account.php with suspicious parameters.
• generic web: Use a browser developer console to check for unexpected JavaScript execution when accessing /sign.php?q=account.php.
disclosure
エクスプロイト状況
EPSS
0.14% (35% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-12892 is to upgrade the Online Exam Mastering System to version 1.0.1 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the /sign.php?q=account.php endpoint to sanitize user-supplied data. Web application firewalls (WAFs) can also be configured to detect and block malicious requests containing XSS payloads. After upgrading, confirm the vulnerability is resolved by attempting to access the /sign.php?q=account.php endpoint with a test payload and verifying that the script is not executed.
パッチが適用されたバージョンにアップデートするか、システムを無効にしてください。パッチが適用されたバージョンが利用できないため、ファイル/sign.php?q=account.phpの'name', 'gender', 'college'フィールドへの入力値を検証およびフィルタリングして、悪意のあるコードインジェクションを回避してください。入力検証とサニタイズを実装してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-12892 is a cross-site scripting (XSS) vulnerability in Online Exam Mastering System versions 1.0-1.0, affecting the /sign.php?q=account.php endpoint. Attackers can inject malicious scripts by manipulating parameters.
You are affected if you are using Online Exam Mastering System version 1.0. Check your version and upgrade if necessary.
Upgrade to version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
While no active campaigns have been publicly reported, the vulnerability has been disclosed and may be exploited.
Refer to the vendor's official website or security advisory channels for the latest information regarding CVE-2024-12892.