プラットフォーム
php
コンポーネント
land-record-system
修正版
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Land Record System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application via manipulation of the Admin Name parameter within the /admin/admin-profile.php file. The vulnerability is exploitable remotely and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-13083 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser session. This can lead to session hijacking, credential theft, and defacement of the Land Record System's administrative interface. The attacker could potentially gain unauthorized access to sensitive land record data or modify system configurations. The impact is amplified if the administrative interface is used to manage critical data or processes, as an attacker could leverage this vulnerability to gain broader control over the system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There are currently no known active campaigns targeting this specific vulnerability, but the availability of a public exploit increases the risk. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but proactive mitigation is still recommended.
Organizations utilizing PHPGurukul Land Record System version 1.0, particularly those with publicly accessible administrative interfaces, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user could potentially impact others.
• php / web:
curl -I 'http://your-land-record-system/admin/admin-profile.php?Admin%20Name=<script>alert(1)</script>' | grep HTTP/1.1• php / web: Examine /admin/admin-profile.php for unsanitized input handling of the 'Admin Name' parameter.
• generic web: Check access logs for unusual requests to /admin/admin-profile.php with suspicious parameters in the Admin Name field.
disclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-13083 is to upgrade to version 1.0.1 of PHPGurukul Land Record System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Admin Name field to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security configurations to minimize the attack surface.
パッチが適用されたソフトウェアのバージョンにアップデートしてください。バージョンが利用できない場合は、`/admin/admin-profile.php`のコードを確認し、`Admin Name`引数におけるユーザー入力のエスケープを適切に行い、悪意のあるJavaScriptコードの実行を防ぐようにしてください。修正が適用できるまで、一時的に機能を無効にすることを検討してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13083 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0 through 1.0, allowing attackers to inject malicious scripts.
You are affected if you are running PHPGurukul Land Record System version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1 of PHPGurukul Land Record System. As a temporary workaround, implement input validation and sanitization on the Admin Name field.
While there are no confirmed active campaigns, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the PHPGurukul website or security mailing lists for the official advisory regarding CVE-2024-13083.