Platform
php
Component
admin-dashboard
Opgelost in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Code-Projects Admin Dashboard versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. The vulnerability resides within the /vendor_management.php file, specifically in the handling of the 'username' parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-12359 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can be leveraged to steal sensitive information like cookies and session tokens, allowing the attacker to impersonate the user. Furthermore, the attacker could modify the appearance of the application, redirect users to malicious websites, or inject malware. The impact is amplified if the Admin Dashboard is used to manage sensitive data or control critical systems, as an attacker could gain unauthorized access and potentially compromise the entire infrastructure. The publicly disclosed nature of this exploit increases the likelihood of widespread exploitation.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No known active campaigns targeting this specific vulnerability have been reported as of the publication date. The initial advisory mentions conflicting product names, highlighting the importance of verifying the affected version.
Organizations utilizing Code-Projects Admin Dashboard for vendor management, particularly those with legacy configurations or shared hosting environments, are at increased risk. Systems where the Admin Dashboard handles sensitive data or provides access to critical resources are especially vulnerable.
• php / server:
grep -r 'username = $_GET' /var/www/html/vendor_management.php• generic web:
curl -I http://your-admin-dashboard.com/vendor_management.php?username=<script>alert(1)</script>disclosure
Exploit Status
EPSS
0.18% (40% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-12359 is to upgrade to Code-Projects Admin Dashboard version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'username' parameter in /vendor_management.php to sanitize user-supplied data. Web application firewalls (WAFs) can be configured to detect and block XSS attempts targeting this specific endpoint. Thoroughly review and update any existing security policies to address XSS vulnerabilities.
Actualice el panel de administración a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas del usuario en el archivo /vendor_management.php, especialmente el parámetro 'username', para evitar la inyección de código malicioso. Implemente una función de escape o sanitización para limpiar los datos antes de mostrarlos en la página.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-12359 is a cross-site scripting vulnerability affecting Code-Projects Admin Dashboard versions 1.0-1.0, allowing attackers to inject malicious scripts via the 'username' parameter in /vendor_management.php.
You are affected if you are using Code-Projects Admin Dashboard versions 1.0 through 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'username' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Refer to the Code-Projects website or security advisories for the official advisory regarding CVE-2024-12359.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.