免费扫描
LOWCVE-2024-1265CVSS 2.4

CodeAstro University Management System Attendance Management att_add.php cross site scripting

翻译中…

平台

php

组件

university-management-system

修复版本

1.0.1

AI Confidence: highNVDEPSS 0.1%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

A problematic cross-site scripting (XSS) vulnerability has been identified in CodeAstro University Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability resides within the /att_add.php file, specifically affecting the handling of the 'Student Name' argument. A fix is available in version 1.0.1.

影响与攻击场景翻译中…

Successful exploitation of CVE-2024-1265 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the University Management System. An attacker could craft a malicious link or embed a script within a seemingly legitimate page, tricking users into clicking and triggering the XSS payload. The impact is amplified if the system is used to manage sensitive student data, as attackers could potentially gain access to personally identifiable information (PII).

利用背景翻译中…

This vulnerability was publicly disclosed on 2024-02-07 and is tracked by VDB-253008. The availability of a public exploit suggests a higher probability of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact on sensitive data warrant immediate attention. No KEV listing or active exploitation campaigns have been confirmed as of this writing.

哪些人处于风险中翻译中…

Educational institutions and organizations utilizing CodeAstro University Management System are at risk. Specifically, deployments with weak input validation or those lacking a WAF are particularly vulnerable. Shared hosting environments where multiple users share the same server resources are also at increased risk, as a compromise of one user could potentially lead to the compromise of others.

检测步骤翻译中…

• php: Examine the /attadd.php file for unsanitized input handling of the 'Student Name' parameter. Search for patterns like htmlspecialchars or striptags which are missing or improperly implemented.

// Example of a vulnerable line
$student_name = $_POST['Student Name'];
echo "Welcome, " . $student_name;

• generic web: Monitor access logs for unusual requests to /att_add.php containing suspicious characters or patterns in the 'Student Name' parameter. Look for POST requests with unusually long or encoded values.

grep -i 'Student Name=[^a-zA-Z0-9 ]+' /var/log/apache2/access.log

• generic web: Inspect response headers for signs of XSS payloads. Check for unusual JavaScript code being injected into the HTML content.

curl -I https://example.com/att_add.php?Student Name=<script>alert(1)</script>

攻击时间线

  1. Disclosure

    disclosure

  2. PoC

    poc

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.06% (19% 百分位)

CISA SSVC

利用情况none
可自动化no
技术影响partial

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N2.4LOWAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredHigh攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityNone敏感数据泄露风险IntegrityLow数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
高 — 需要管理员或特权账户。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
无 — 无机密性影响。
Integrity
低 — 攻击者可修改部分数据,影响有限。
Availability
无 — 无可用性影响。

受影响的软件

组件university-management-system
供应商CodeAstro
影响范围修复版本
1.0 – 1.01.0.1

弱点分类 (CWE)

CWE-79

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2024-1265 is to upgrade to version 1.0.1 of CodeAstro University Management System. Until the upgrade is possible, consider implementing input validation and sanitization on the 'Student Name' field to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Regularly review and update the system's security configuration to minimize the attack surface.

修复方法翻译中…

Actualice el sistema de gestión universitaria a una versión parcheada que solucione la vulnerabilidad XSS en el archivo att_add.php. Verifique las notas de la versión o el registro de cambios para confirmar que la vulnerabilidad CVE-2024-1265 ha sido abordada. Si no hay una versión parcheada disponible, considere implementar medidas de mitigación como la desinfección de entradas en el código att_add.php para evitar la ejecución de scripts maliciosos.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2024-1265 — XSS in CodeAstro University Management System?

CVE-2024-1265 is a cross-site scripting (XSS) vulnerability affecting CodeAstro University Management System versions 1.0 through 1.0. It allows attackers to inject malicious scripts via the /att_add.php file.

Am I affected by CVE-2024-1265 in CodeAstro University Management System?

You are affected if you are using CodeAstro University Management System version 1.0 or 1.0. Upgrade to version 1.0.1 to resolve the vulnerability.

How do I fix CVE-2024-1265 in CodeAstro University Management System?

The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Student Name' field.

Is CVE-2024-1265 being actively exploited?

While no confirmed active exploitation campaigns are known, the vulnerability has been publicly disclosed and a proof-of-concept is available, increasing the likelihood of exploitation.

Where can I find the official CodeAstro advisory for CVE-2024-1265?

Please refer to the CodeAstro website or their security advisory page for the official advisory regarding CVE-2024-1265.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE