プラットフォーム
php
コンポーネント
skid-nochizplz
修正版
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Computer Inventory System versions 1.0. This flaw allows attackers to inject malicious scripts through manipulation of arguments within the /endpoint/add-computer.php file. Affected users should upgrade to version 1.0.1 to mitigate this risk, which has been publicly disclosed.
Successful exploitation of CVE-2024-2066 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, defacement of the application's interface, and redirection to phishing sites. The attacker could steal sensitive information like user credentials or internal data displayed within the Computer Inventory System. Given the nature of XSS, the potential impact extends to all users interacting with the vulnerable endpoint, potentially compromising the entire system's integrity.
This vulnerability has been publicly disclosed and assigned the identifier VDB-255381. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on user data warrant prompt remediation. No active exploitation campaigns have been publicly reported as of this writing, but the availability of the vulnerability details increases the risk of future attacks. The vulnerability was published on 2024-03-01.
Organizations utilizing the Computer Inventory System 1.0, particularly those with limited security resources or those who haven't implemented robust input validation practices, are at heightened risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's account could potentially impact others.
• php / web: Examine access logs for requests to /endpoint/add-computer.php with unusual or suspicious parameters.
grep -i 'script|alert' /var/log/apache2/access.log | grep /endpoint/add-computer.php• php / web: Inspect the source code of /endpoint/add-computer.php for missing or inadequate input validation and output encoding.
• generic web: Use curl to test the endpoint with various payloads to identify XSS vulnerabilities.
curl -X POST -d "model=<script>alert('XSS')</script>" http://your-computer-inventory-system/endpoint/add-computer.phpdisclosure
patch
エクスプロイト状況
EPSS
0.06% (18% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2024-2066 is to upgrade to version 1.0.1 of the Computer Inventory System. If an immediate upgrade is not feasible, consider implementing input validation and output encoding on the /endpoint/add-computer.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies to ensure adherence to secure coding practices.
Actualizar a una versión parcheada del software. Si no hay una versión disponible, sanitizar la entrada del parámetro 'model' en el archivo add-computer.php para evitar la ejecución de código XSS. Escapar la salida de datos en la plantilla HTML también puede mitigar el riesgo.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-2066 is a cross-site scripting (XSS) vulnerability affecting Computer Inventory System 1.0, allowing attackers to inject malicious scripts via the /endpoint/add-computer.php file.
If you are using Computer Inventory System version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to resolve the issue.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the vulnerable endpoint.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed, increasing the risk of future attacks.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-2066.