Platform
php
Component
land-record-system
Opgelost in
1.0.1
CVE-2024-13077 is a problematic cross-site scripting (XSS) vulnerability identified in PHPGurukul Land Record System versions 1.0 through 1.0. This vulnerability resides within the /admin/add-property.php file and can be exploited through manipulation of the Land Subtype argument. A patch is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2024-13077 allows an attacker to inject malicious scripts into the Land Record System's web interface. This can lead to various consequences, including session hijacking, defacement of the administrative panel, and redirection of users to malicious websites. The attacker could potentially steal sensitive information, such as user credentials or property data, depending on the level of access granted to the compromised account. Given the administrative context of /admin/add-property.php, the impact could be significant if an administrator's session is compromised.
CVE-2024-13077 has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to this specific vulnerability, the availability of public information makes it a potential target for opportunistic attackers. The exploit's simplicity suggests a relatively low barrier to entry for exploitation. The vulnerability was added to the NVD on 2024-12-31.
Organizations utilizing PHPGurukul Land Record System version 1.0 are at risk. Specifically, those with publicly accessible administrative interfaces or those who haven't implemented robust input validation measures are particularly vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk.
• php: Examine the /admin/add-property.php file for unsanitized input handling of the 'Land Subtype' parameter.
• generic web: Monitor access logs for requests to /admin/add-property.php with unusual or suspicious values in the Land Subtype parameter. Use curl to test the endpoint with various payloads: curl 'http://example.com/admin/add-property.php?Land%20Subtype=<script>alert("XSS")</script>'
• generic web: Check response headers for Content-Security-Policy (CSP) directives that could mitigate XSS attacks. curl -I http://example.com/admin/add-property.php
disclosure
Exploit Status
EPSS
0.13% (32% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-13077 is to upgrade PHPGurukul Land Record System to version 1.0.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Land Subtype field to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /admin/add-property.php endpoint can provide an additional layer of protection. Regularly review and update input validation routines to prevent future XSS vulnerabilities.
Werk bij naar een gepatchte versie of pas de nodige beveiligingsmaatregelen toe om de uitvoering van XSS-code te voorkomen. Valideer en escape gebruikersinvoer, met name de parameter 'Land Subtype' in het bestand add-property.php. Overweeg een Content Security Policy (CSP) te implementeren om XSS-aanvallen te verzachten.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-13077 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /admin/add-property.php file.
Yes, if you are running PHPGurukul Land Record System version 1.0, you are affected by this XSS vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to PHPGurukul Land Record System version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the Land Subtype field.
While no confirmed active campaigns have been reported, the public disclosure of the vulnerability increases the likelihood of exploitation by opportunistic attackers.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-13077 and the Land Record System.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.