プラットフォーム
php
コンポーネント
land-record-system
修正版
1.0.1
CVE-2024-13081 is a cross-site scripting (XSS) vulnerability identified in PHPGurukul Land Record System versions 1.0 through 1.0. An attacker can exploit this flaw by manipulating the 'Page Description' parameter within the /admin/contactus.php file, potentially leading to the execution of malicious scripts in the context of a user's browser. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-13081 allows an attacker to inject arbitrary JavaScript code into the Land Record System's web interface. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative panel, and redirection of users to phishing sites. The attacker could potentially steal sensitive data, such as user credentials or land records, depending on the system's configuration and the privileges of the affected user. Given the administrative context of /admin/contactus.php, a successful attack could grant the attacker control over the entire Land Record System.
CVE-2024-13081 has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant attention. No known active campaigns targeting this vulnerability have been reported as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing PHPGurukul Land Record System version 1.0, particularly those with publicly accessible administrative interfaces, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially lead to the compromise of the entire system.
• wordpress / composer / npm:
grep -r "Page Description" /var/www/html/admin/contactus.php• generic web:
curl -I http://your-land-record-system.com/admin/contactus.php?Page Description=<script>alert('XSS')</script>disclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-13081 is to upgrade to version 1.0.1 of PHPGurukul Land Record System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Page Description' parameter within the /admin/contactus.php file. This can involve stripping out potentially malicious HTML tags or encoding user-supplied input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update the system's security configuration to minimize the attack surface. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'Page Description' field and verifying that it is properly sanitized.
パッチが適用されたバージョンにアップデートするか、/admin/contactus.php ファイルの 'Page Description' フィールドへの悪意のあるコードのインジェクションを回避するために必要なセキュリティ対策を適用してください。XSS 攻撃を防ぐために、ユーザー入力を適切に検証およびエスケープしてください。パッチが適用されたバージョンが利用できない場合は、脆弱な機能を無効化または削除することを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13081 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /admin/contactus.php file.
You are affected if you are using PHPGurukul Land Record System version 1.0. Check your version and upgrade if necessary.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Page Description' parameter.
While no active campaigns are currently confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the PHPGurukul website or security mailing lists for the official advisory regarding CVE-2024-13081.