平台
php
组件
cve_hub
修复版本
1.0.1
CVE-2024-0282 is a cross-site scripting (XSS) vulnerability affecting Kashipara Food Management System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking or defacement. A fix is available in version 1.0.1, and users are strongly encouraged to upgrade immediately.
Successful exploitation of CVE-2024-0282 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including stealing user credentials, redirecting users to phishing sites, or defacing the application's interface. The vulnerability resides in the addmaterialsubmit.php file, specifically within the handling of the tin parameter. The attacker can manipulate this parameter to inject malicious code that will be executed when a user views the affected page. Given the public disclosure of this exploit, the risk of immediate exploitation is elevated.
CVE-2024-0282 has been publicly disclosed, increasing the likelihood of exploitation. The vulnerability is rated as LOW severity according to CVSS. Public proof-of-concept exploits are likely available, making it relatively easy for attackers to leverage this vulnerability. The vulnerability was published on 2024-01-07. It is not currently listed on CISA KEV.
Organizations utilizing Kashipara Food Management System in their operations, particularly those with publicly accessible instances, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially lead to the compromise of others.
• php / web:
grep -r "tin = [^\"]*" /var/www/kashipara_food_management_system/• generic web:
curl -I http://your-website.com/addmaterialsubmit.php?tin=<script>alert('XSS')</script>• generic web: Check access logs for unusual requests to addmaterialsubmit.php with suspicious parameters in the tin field.
• generic web: Monitor browser console for JavaScript errors related to XSS payloads.
disclosure
漏洞利用状态
EPSS
0.09% (26% 百分位)
CVSS 向量
The primary mitigation for CVE-2024-0282 is to upgrade Kashipara Food Management System to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the tin parameter within addmaterialsubmit.php to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the tin parameter and confirming that it is properly neutralized.
Actualizar Kashipara Food Management System a una versión posterior a la 1.0, si existe, que corrija la vulnerabilidad XSS en el archivo addmaterialsubmit.php. Si no hay una actualización disponible, se recomienda deshabilitar o eliminar el sistema hasta que se publique una solución. Como medida temporal, se puede implementar una validación y limpieza exhaustiva de la entrada 'tin' en addmaterialsubmit.php para evitar la inyección de código malicioso.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-0282 is a cross-site scripting (XSS) vulnerability in Kashipara Food Management System versions 1.0–1.0, allowing attackers to inject malicious scripts via the 'tin' parameter in addmaterialsubmit.php.
You are affected if you are using Kashipara Food Management System version 1.0–1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade to Kashipara Food Management System version 1.0.1 or later. As a temporary measure, implement input validation and sanitization on the 'tin' parameter.
Due to the public disclosure of the exploit, there is a high probability that CVE-2024-0282 is being actively exploited.
Unfortunately, a direct link to the official advisory is not available. Consult the vendor's website or security mailing lists for updates.