Platform
php
Component
simple-admin-panel
Opgelost in
1.0.1
CVE-2024-12932 describes a cross-site scripting (XSS) vulnerability discovered in Simple Admin Panel versions 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and stealing sensitive data. The vulnerability affects the addSizeController.php file and is remediated in version 1.0.1.
Successful exploitation of CVE-2024-12932 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This can lead to various malicious actions, including session hijacking, defacement of the web application, and redirection to phishing sites. The attacker could steal cookies, credentials, or other sensitive information stored in the user's browser. Given the nature of XSS, the impact can range from minor annoyance to complete compromise of user accounts and data.
CVE-2024-12932 was publicly disclosed on December 26, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the ease of exploitation should not be underestimated. No KEV listing is present as of this writing.
Organizations and individuals using Simple Admin Panel version 1.0 are at risk. This includes those deploying the panel on shared hosting environments, as the vulnerability can be exploited by other tenants on the same server. Any system where the panel is used to manage sensitive data or user accounts is particularly vulnerable.
• php / server:
find /var/www/html -name 'addSizeController.php' -print0 | xargs -0 grep -i 'size='• generic web:
curl -I http://your-simple-admin-panel/addSizeController.php?size=<script>alert(1)</script>• generic web:
grep -r '<script>' /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.17% (38% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-12932 is to immediately upgrade Simple Admin Panel to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'size' parameter in addSizeController.php to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the affected parameter and verifying that it does not execute.
Werk bij naar een gepatchte versie van Simple Admin Panel. Indien er geen versie beschikbaar is, controleer en valideer dan de gebruikersinvoer in het bestand addSizeController.php, met name de parameter 'size', om de injectie van kwaadaardige code te voorkomen. Het escapen van HTML-output is ook cruciaal.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-12932 is a cross-site scripting (XSS) vulnerability affecting Simple Admin Panel versions 1.0, allowing attackers to inject malicious scripts.
You are affected if you are using Simple Admin Panel version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade Simple Admin Panel to version 1.0.1 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
As of December 26, 2024, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Check the official Simple Admin Panel website or GitHub repository for updates and advisories related to CVE-2024-12932.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.