Platform
php
Component
pocs
Opgelost in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Road Accident Map Marker versions 1.0. This flaw resides within the /endpoint/add-mark.php file and allows attackers to inject malicious scripts through manipulation of the mark_name/details argument. Successful exploitation could lead to session hijacking or defacement. The vulnerability has been publicly disclosed and a patch is available in version 1.0.1.
The XSS vulnerability in Road Accident Map Marker allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a user's browser when they visit a page containing the injected script. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the application. The impact is amplified if the application is used to collect sensitive user data, as the attacker could potentially intercept this data. Given the public disclosure, the risk of exploitation is elevated.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known active campaigns targeting this specific vulnerability have been reported. The CVE has been assigned and is available on the NVD. While the CVSS score is LOW, the ease of exploitation and potential impact warrant prompt remediation.
Organizations utilizing Road Accident Map Marker version 1.0, particularly those hosting the application on shared hosting environments or with limited security controls, are at increased risk. Applications integrated with Road Accident Map Marker that rely on user-supplied data for mapping functionality are also vulnerable.
• php / web:
grep -r "mark_name/details" /var/www/html/• php / web:
curl -s -X POST -d "mark_name/details=<script>alert('XSS')</script>" http://your-road-accident-map-marker-instance/endpoint/add-mark.php | grep "alert('XSS')"disclosure
Exploit Status
EPSS
0.16% (37% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-13021 is to upgrade to version 1.0.1 of Road Accident Map Marker, which includes the necessary fix. If upgrading is not immediately possible, consider implementing input validation and sanitization on the markname/details parameter within the /endpoint/add-mark.php file. Additionally, a Web Application Firewall (WAF) can be configured to block requests containing suspicious JavaScript code in the markname/details parameter. Regularly review and update your WAF rules to ensure they are effective against emerging threats. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the mark_name/details parameter and verifying that it is not executed.
Werk bij naar een gepatchte versie of schakel de component uit. Valideer en escape gebruikersinvoer in `/endpoint/add-mark.php` om XSS code injectie te voorkomen. Bekijk de broncode om andere kwetsbare parameters te identificeren en pas de benodigde mitigaties toe.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-13021 is a cross-site scripting (XSS) vulnerability in Road Accident Map Marker versions 1.0, affecting the /endpoint/add-mark.php file. Attackers can inject malicious scripts through parameter manipulation.
You are affected if you are running Road Accident Map Marker version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the mark_name/details parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the SourceCodester website or relevant security advisories for the official advisory regarding CVE-2024-13021.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.