Plataforma
php
Componente
vehicle-management-system
Corrigido em
1.0.1
CVE-2024-12783 describes a problematic cross-site scripting (XSS) vulnerability discovered in the isourcecode Vehicle Management System. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability impacts versions 1.0 of the system and is addressed in version 1.0.1.
An attacker can exploit this XSS vulnerability by manipulating the 'extra-cost' argument within the /billaction.php file. Successful exploitation allows the attacker to inject arbitrary JavaScript code into the application, which will then be executed in the context of the victim's browser. This could lead to session hijacking, defacement of the application, or redirection to malicious websites. The remote nature of the vulnerability means an attacker doesn't need local access to the system to exploit it. The impact is amplified if the Vehicle Management System handles sensitive user data or financial transactions, as an attacker could potentially steal credentials or manipulate financial records.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of the vulnerability details increases the likelihood of future attacks. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing the isourcecode Vehicle Management System version 1.0, particularly those with publicly accessible instances or those handling sensitive financial or personal data, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially impact others.
• php / web:
curl -I 'http://your-vehicle-management-system/billaction.php?extra-cost=<script>alert("XSS")</script>' | grep HTTP/1.1• generic web:
grep -i 'extra-cost' /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.24% (percentil 48%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-12783 is to upgrade the isourcecode Vehicle Management System to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'extra-cost' parameter within the /billaction.php file to prevent malicious input. Web application firewalls (WAFs) can also be configured to filter out potentially malicious requests containing XSS payloads. Thoroughly test any configuration changes in a non-production environment before deploying them to production.
Atualize para uma versão corrigida do sistema de gerenciamento de veículos. Se nenhuma versão estiver disponível, revise e filtre as entradas do parâmetro 'extra-cost' no arquivo /billaction.php para evitar a execução de código JavaScript malicioso. Implemente validação e saneamento de entradas para prevenir futuros ataques XSS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-12783 is a cross-site scripting (XSS) vulnerability affecting versions 1.0 of the isourcecode Vehicle Management System, allowing attackers to inject malicious scripts via the /billaction.php file.
You are affected if you are using isourcecode Vehicle Management System version 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the 'extra-cost' parameter.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed and may be targeted by attackers.
Refer to the isourcecode website or relevant security forums for the official advisory regarding CVE-2024-12783.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.