平台
php
组件
company-visitor-management-system
修复版本
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Company Visitor Management System versions 1.0 through 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The vulnerability resides within the file search-visitor.php and can be exploited remotely. A fix is available in version 1.0.1.
Successful exploitation of CVE-2024-0652 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive information stored within the Company Visitor Management System, such as visitor logs and employee details. The impact is amplified if the system is used to manage access to physical locations, as an attacker could potentially use the vulnerability to gain unauthorized access.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact warrant immediate attention. No active exploitation campaigns have been publicly reported as of the publication date, but the availability of a public proof-of-concept suggests that exploitation is possible. The vulnerability was added to the VDB with identifier VDB-251378.
Organizations utilizing PHPGurukul Company Visitor Management System version 1.0, particularly those with sensitive visitor data or integrated access control systems, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's environment could potentially impact others.
• php: Examine the search-visitor.php file for unsanitized user input.
// Example: Check for potentially malicious characters
if (preg_match('/<script/i', $_GET['search_term'])) {
// Log or block the request
}• generic web: Monitor access logs for unusual requests to search-visitor.php with suspicious parameters.
grep -i '<script' /var/log/apache2/access.logdisclosure
patch
漏洞利用状态
EPSS
0.15% (35% 百分位)
CVSS 向量
The primary mitigation for CVE-2024-0652 is to upgrade to version 1.0.1 of the PHPGurukul Company Visitor Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the search-visitor.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update security rules to reflect the latest threat intelligence.
Actualice a una versión parcheada del sistema de gestión de visitantes de la empresa PHPGurukul. Póngase en contacto con el proveedor para obtener una versión corregida o aplique las medidas de seguridad necesarias para evitar ataques XSS en el archivo search-visitor.php.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-0652 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Company Visitor Management System versions 1.0–1.0, allowing attackers to inject malicious scripts.
You are affected if you are using PHPGurukul Company Visitor Management System version 1.0–1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1 of the PHPGurukul Company Visitor Management System. Input validation and output encoding can provide temporary protection.
While no active exploitation campaigns have been publicly reported, the vulnerability has been disclosed and a proof-of-concept exists, indicating potential for exploitation.
Refer to the vendor's advisory or security bulletin for PHPGurukul Company Visitor Management System for details on CVE-2024-0652.