Plataforma
php
Componente
land-record-system
Corrigido em
1.0.1
CVE-2024-13077 is a problematic cross-site scripting (XSS) vulnerability identified in PHPGurukul Land Record System versions 1.0 through 1.0. This vulnerability resides within the /admin/add-property.php file and can be exploited through manipulation of the Land Subtype argument. A patch is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2024-13077 allows an attacker to inject malicious scripts into the Land Record System's web interface. This can lead to various consequences, including session hijacking, defacement of the administrative panel, and redirection of users to malicious websites. The attacker could potentially steal sensitive information, such as user credentials or property data, depending on the level of access granted to the compromised account. Given the administrative context of /admin/add-property.php, the impact could be significant if an administrator's session is compromised.
CVE-2024-13077 has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to this specific vulnerability, the availability of public information makes it a potential target for opportunistic attackers. The exploit's simplicity suggests a relatively low barrier to entry for exploitation. The vulnerability was added to the NVD on 2024-12-31.
Organizations utilizing PHPGurukul Land Record System version 1.0 are at risk. Specifically, those with publicly accessible administrative interfaces or those who haven't implemented robust input validation measures are particularly vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk.
• php: Examine the /admin/add-property.php file for unsanitized input handling of the 'Land Subtype' parameter.
• generic web: Monitor access logs for requests to /admin/add-property.php with unusual or suspicious values in the Land Subtype parameter. Use curl to test the endpoint with various payloads: curl 'http://example.com/admin/add-property.php?Land%20Subtype=<script>alert("XSS")</script>'
• generic web: Check response headers for Content-Security-Policy (CSP) directives that could mitigate XSS attacks. curl -I http://example.com/admin/add-property.php
disclosure
Status do Exploit
EPSS
0.13% (percentil 32%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2024-13077 is to upgrade PHPGurukul Land Record System to version 1.0.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Land Subtype field to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /admin/add-property.php endpoint can provide an additional layer of protection. Regularly review and update input validation routines to prevent future XSS vulnerabilities.
Atualize para uma versão corrigida ou aplique as medidas de segurança necessárias para evitar a execução de código XSS. Valide e escape as entradas do usuário, especialmente o parâmetro 'Land Subtype' no arquivo add-property.php. Considere implementar uma política de segurança de conteúdo (CSP) para mitigar os ataques XSS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2024-13077 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /admin/add-property.php file.
Yes, if you are running PHPGurukul Land Record System version 1.0, you are affected by this XSS vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to PHPGurukul Land Record System version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the Land Subtype field.
While no confirmed active campaigns have been reported, the public disclosure of the vulnerability increases the likelihood of exploitation by opportunistic attackers.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-13077 and the Land Record System.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.