Platform
php
Component
online-job-portal
Opgelost in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in SourceCodester Online Job Portal versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides within the 'Manage Walkin Page' component, specifically the /Employer/ManageWalkin.php file. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-1919 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the job portal. An attacker could craft a malicious link containing the XSS payload and send it to unsuspecting users, triggering the script execution upon access. The blast radius extends to all users of the affected Online Job Portal instance, particularly those interacting with the 'Manage Walkin' functionality.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score of 3.5 (LOW) indicates a limited impact and exploitability. It is not currently listed on CISA KEV. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Organizations utilizing SourceCodester Online Job Portal for recruitment and job postings are at risk, especially those with legacy configurations or shared hosting environments where security patching may be delayed. Administrators of these portals should prioritize patching to prevent potential data breaches and user compromise.
• php / web:
curl -I 'http://your-online-job-portal.com/Employer/ManageWalkin.php?Job%20Title=<script>alert(1)</script>' | grep -i 'content-type'• generic web:
grep -i "<script" /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.14% (34% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-1919 is to immediately upgrade to version 1.0.1 of SourceCodester Online Job Portal. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'Job Title' parameter within the /Employer/ManageWalkin.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security configurations to minimize the attack surface.
Actualice a una versión parcheada o implemente una validación y limpieza adecuadas de las entradas del usuario en el archivo ManageWalkin.php, especialmente en el campo Job Title, para evitar la inyección de código XSS. Revise el código fuente para identificar y corregir otras posibles vulnerabilidades XSS.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-1919 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Online Job Portal versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'Job Title' parameter.
You are affected if you are using SourceCodester Online Job Portal version 1.0 or 1.0. Check your version and upgrade immediately.
Upgrade to version 1.0.1. If immediate upgrade is not possible, implement input validation and output encoding on the 'Job Title' parameter.
While there's no confirmed active exploitation, the vulnerability has been publicly disclosed and a proof-of-concept may be available, increasing the risk.
Refer to SourceCodester's official website or security advisories for updates and information regarding CVE-2024-1919.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.