Platform
php
Component
land-record-system
Opgelost in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Land Record System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application via manipulation of the Admin Name parameter within the /admin/admin-profile.php file. The vulnerability is exploitable remotely and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-13083 allows an attacker to execute arbitrary JavaScript code in the context of a user's browser session. This can lead to session hijacking, credential theft, and defacement of the Land Record System's administrative interface. The attacker could potentially gain unauthorized access to sensitive land record data or modify system configurations. The impact is amplified if the administrative interface is used to manage critical data or processes, as an attacker could leverage this vulnerability to gain broader control over the system.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There are currently no known active campaigns targeting this specific vulnerability, but the availability of a public exploit increases the risk. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but proactive mitigation is still recommended.
Organizations utilizing PHPGurukul Land Record System version 1.0, particularly those with publicly accessible administrative interfaces, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user could potentially impact others.
• php / web:
curl -I 'http://your-land-record-system/admin/admin-profile.php?Admin%20Name=<script>alert(1)</script>' | grep HTTP/1.1• php / web: Examine /admin/admin-profile.php for unsanitized input handling of the 'Admin Name' parameter.
• generic web: Check access logs for unusual requests to /admin/admin-profile.php with suspicious parameters in the Admin Name field.
disclosure
Exploit Status
EPSS
0.13% (32% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-13083 is to upgrade to version 1.0.1 of PHPGurukul Land Record System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Admin Name field to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security configurations to minimize the attack surface.
Werk bij naar een gepatchte versie van de software. Indien er geen versie beschikbaar is, controleer dan de code in `/admin/admin-profile.php` en zorg ervoor dat de gebruikersinvoer in het argument `Admin Name` correct wordt ontsnapt om de uitvoering van kwaadaardige JavaScript-code te voorkomen. Overweeg de functionaliteit tijdelijk uit te schakelen totdat een oplossing kan worden toegepast.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-13083 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0 through 1.0, allowing attackers to inject malicious scripts.
You are affected if you are running PHPGurukul Land Record System version 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
Upgrade to version 1.0.1 of PHPGurukul Land Record System. As a temporary workaround, implement input validation and sanitization on the Admin Name field.
While there are no confirmed active campaigns, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the PHPGurukul website or security mailing lists for the official advisory regarding CVE-2024-13083.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.