プラットフォーム
php
コンポーネント
land-record-system
修正版
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Land Record System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides in the processing of the /admin/search-property.php file, specifically through manipulation of the 'Search By' argument. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-13082 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's administrative interface. An attacker could potentially gain unauthorized access to sensitive land record data or manipulate the system's functionality. The impact is particularly severe for administrative users, as their accounts could be compromised, granting the attacker full control over the Land Record System.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The vulnerability is not currently listed on CISA's KEV catalog.
Organizations utilizing PHPGurukul Land Record System version 1.0, particularly those with sensitive land record data, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially affect others.
• php: Examine /admin/search-property.php for inadequate input sanitization of the 'Search By' parameter. Search for instances where user input is directly outputted to the browser without proper encoding.
• generic web: Monitor access logs for unusual requests to /admin/search-property.php with suspicious parameters in the 'Search By' field. Look for patterns indicative of XSS attempts (e.g., <script>).
• generic web: Use curl to test the endpoint with a basic XSS payload: curl 'http://<target>/admin/search-property.php?Search By=<script>alert(1)</script>' and observe the response for JavaScript execution.
disclosure
エクスプロイト状況
EPSS
0.17% (38% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-13082 is to upgrade to PHPGurukul Land Record System version 1.0.1 or later, which includes the necessary fix. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'Search By' parameter within the /admin/search-property.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Carefully review and sanitize all user-supplied input before rendering it in the application's output. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the 'Search By' parameter and verifying that it is properly sanitized.
パッチが適用されたバージョンにアップデートするか、/admin/search-property.php ファイルの 'Search By' パラメータを介した悪意のあるコードの注入を防ぐために必要なセキュリティ対策を適用してください。XSS 攻撃を防ぐために、ユーザー入力を検証およびエスケープしてください。パッチが適用されたバージョンが利用できない場合は、修正が適用されるまで、脆弱な機能の無効化またはアクセス制限を検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13082 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0–1.0, allowing attackers to inject malicious scripts via the /admin/search-property.php file.
You are affected if you are using PHPGurukul Land Record System version 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to PHPGurukul Land Record System version 1.0.1 or later. As a temporary measure, implement input validation and output encoding on the 'Search By' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-13082.