Platform
php
Component
university-management-system
Opgelost in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in CodeAstro University Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides within the /att_add.php file, specifically affecting the handling of the 'Student Name' argument. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-1265 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the University Management System. An attacker could craft a malicious link or embed a script within a seemingly legitimate page, tricking users into clicking and triggering the XSS payload. The impact is amplified if the system is used to manage sensitive student data, as attackers could potentially gain access to personally identifiable information (PII).
This vulnerability was publicly disclosed on 2024-02-07 and is tracked by VDB-253008. The availability of a public exploit suggests a higher probability of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on sensitive data warrant immediate attention. No KEV listing or active exploitation campaigns have been confirmed as of this writing.
Educational institutions and organizations utilizing CodeAstro University Management System are at risk. Specifically, deployments with weak input validation or those lacking a WAF are particularly vulnerable. Shared hosting environments where multiple users share the same server resources are also at increased risk, as a compromise of one user could potentially lead to the compromise of others.
• php: Examine the /attadd.php file for unsanitized input handling of the 'Student Name' parameter. Search for patterns like htmlspecialchars or striptags which are missing or improperly implemented.
// Example of a vulnerable line
$student_name = $_POST['Student Name'];
echo "Welcome, " . $student_name;• generic web: Monitor access logs for unusual requests to /att_add.php containing suspicious characters or patterns in the 'Student Name' parameter. Look for POST requests with unusually long or encoded values.
grep -i 'Student Name=[^a-zA-Z0-9 ]+' /var/log/apache2/access.log• generic web: Inspect response headers for signs of XSS payloads. Check for unusual JavaScript code being injected into the HTML content.
curl -I https://example.com/att_add.php?Student Name=<script>alert(1)</script>disclosure
poc
Exploit Status
EPSS
0.06% (19% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-1265 is to upgrade to version 1.0.1 of CodeAstro University Management System. Until the upgrade is possible, consider implementing input validation and sanitization on the 'Student Name' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update the system's security configuration to minimize the attack surface.
Actualice el sistema de gestión universitaria a una versión parcheada que solucione la vulnerabilidad XSS en el archivo att_add.php. Verifique las notas de la versión o el registro de cambios para confirmar que la vulnerabilidad CVE-2024-1265 ha sido abordada. Si no hay una versión parcheada disponible, considere implementar medidas de mitigación como la desinfección de entradas en el código att_add.php para evitar la ejecución de scripts maliciosos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-1265 is a cross-site scripting (XSS) vulnerability affecting CodeAstro University Management System versions 1.0 through 1.0. It allows attackers to inject malicious scripts via the /att_add.php file.
You are affected if you are using CodeAstro University Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Student Name' field.
While no confirmed active exploitation campaigns are known, the vulnerability has been publicly disclosed and a proof-of-concept is available, increasing the likelihood of exploitation.
Please refer to the CodeAstro website or their security advisory page for the official advisory regarding CVE-2024-1265.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.