Platform
php
Component
rrj-nueva-ecija-engineer-online-portal
Opgelost in
1.0.1
CVE-2024-0190 describes a cross-site scripting (XSS) vulnerability affecting the RRJ Nueva Ecija Engineer Online Portal. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The issue impacts versions 1.0 through 1.0, and a patch is available in version 1.0.1.
The vulnerability lies in the handling of user input within the add_quiz.php file, specifically the Quiz Title and Quiz Description fields. An attacker can inject JavaScript code by crafting malicious input containing tags like </title><scRipt>alert(x)</scRipt>. When this input is displayed to other users, the injected script executes in their browser context. This could allow an attacker to steal session cookies, redirect users to phishing sites, or modify the content of the page. The remote nature of the vulnerability means an attacker doesn't need local access to exploit it.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW (3.5), suggesting that exploitation is relatively straightforward but the potential impact is limited. It is not currently listed on the CISA KEV catalog. Further investigation is warranted to determine if this vulnerability is being actively exploited in the wild.
Organizations using the RRJ Nueva Ecija Engineer Online Portal version 1.0 are at risk. This includes engineering firms, construction companies, or any entity utilizing this specific portal for project management or communication. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a successful attack could potentially impact other users on the same server.
• generic web: Use curl to test the add_quiz.php endpoint with a payload like <script>alert(x)</script> in the Quiz Title/Quiz Description parameters. Check the response for the alert box.
curl -d "Quiz Title=<script>alert(x)</script>" http://your-portal-url/add_quiz.php• generic web: Examine access and error logs for suspicious requests containing <script> tags or other XSS payloads targeting add_quiz.php.
• generic web: Inspect the HTML source code of pages displaying quiz information for any unsanitized user input from the Quiz Title/Quiz Description fields.
disclosure
patch
Exploit Status
EPSS
0.23% (46% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-0190 is to upgrade the RRJ Nueva Ecija Engineer Online Portal to version 1.0.1 or later, which includes the fix. If upgrading immediately is not possible, consider implementing input validation and output encoding on the Quiz Title and Quiz Description fields to sanitize user input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple JavaScript alert in the Quiz Title/Quiz Description fields and confirming that the script does not execute.
Actualizar el RRJ Nueva Ecija Engineer Online Portal a una versión parcheada o implementar medidas de saneamiento de entrada en el archivo add_quiz.php para evitar la ejecución de código JavaScript malicioso. Escapar o eliminar las etiquetas HTML en los campos 'Quiz Title' y 'Quiz Description' antes de mostrarlos en la página.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-0190 is a cross-site scripting (XSS) vulnerability in the RRJ Nueva Ecija Engineer Online Portal versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are using RRJ Nueva Ecija Engineer Online Portal versions 1.0–1.0. Upgrade to 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 or later. Implement input validation and output encoding as a temporary workaround.
While publicly disclosed, there is no confirmed evidence of active exploitation at this time. Monitoring is recommended.
Refer to the vendor's official website or security announcements for the latest advisory regarding CVE-2024-0190.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.