プラットフォーム
php
コンポーネント
land-record-system
修正版
1.0.1
CVE-2024-13074 describes a problematic cross-site scripting (XSS) vulnerability discovered in PHPGurukul Land Record System version 1.0. This flaw allows attackers to inject malicious scripts, potentially leading to data theft and session hijacking. The vulnerability impacts version 1.0 and is resolved in version 1.0.1, which users are strongly encouraged to apply.
The XSS vulnerability in Land Record System allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a compromised page. Attackers could leverage this to steal sensitive information, such as user credentials or personal data stored within the application. Furthermore, an attacker could hijack user sessions, gaining unauthorized access to the Land Record System and potentially manipulating data or performing actions on behalf of legitimate users. The impact is amplified if the system handles sensitive land ownership records, as attackers could potentially alter or view confidential information.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns or proof-of-concept exploits have been publicly reported as of the publication date, but the public disclosure makes it a target. The vulnerability was published on 2024-12-31.
Organizations and individuals using PHPGurukul Land Record System version 1.0 are at risk. This includes government agencies, land registry offices, and any entity relying on this system for land record management. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromise of one user's account could potentially impact others.
• php: Examine /index.php for unsanitized usage of the 'searchdata' parameter. Look for patterns where user input is directly outputted to the page without proper encoding.
// Example of vulnerable code
<?php
echo $_GET['searchdata']; ?>• generic web: Check access logs for unusual requests to /index.php with suspicious parameters in the 'searchdata' field. Look for patterns indicative of XSS payloads (e.g., <script> tags, event handlers).
• generic web: Use curl to test the /index.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>). Observe the response for JavaScript execution.
disclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-13074 is to upgrade to version 1.0.1 of the Land Record System. This version includes a fix for the XSS vulnerability. If upgrading immediately is not possible, consider implementing input validation and output encoding on the 'searchdata' parameter in /index.php to sanitize user-supplied input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update input validation routines to prevent similar vulnerabilities from arising.
パッチが適用されたバージョンにアップデートするか、XSS コードの実行を避けるために必要なセキュリティ対策を適用してください。特に 'searchdata' パラメータを含むユーザー入力を表示する前に、検証およびサニタイズしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13074 is a cross-site scripting (XSS) vulnerability in PHPGurukul Land Record System version 1.0, allowing attackers to inject malicious scripts via the 'searchdata' parameter.
You are affected if you are using PHPGurukul Land Record System version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary measure, implement input validation and output encoding on the 'searchdata' parameter.
While no active campaigns are confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-13074.