平台
php
组件
cves-and-vulnerabilities
修复版本
1.0.1
CVE-2024-11102 describes a cross-site scripting (XSS) vulnerability discovered in SourceCodester Hospital Management System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and system integrity. The vulnerability impacts the /vm/doctor/edit-doc.php file and is addressed in version 1.0.1.
Successful exploitation of CVE-2024-11102 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's interface. An attacker could potentially steal sensitive patient data or gain unauthorized access to administrative functions within the Hospital Management System. The impact is amplified if the system is used in a multi-user environment, as a single compromised account could be used to target other users.
CVE-2024-11102 has been publicly disclosed, increasing the risk of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant immediate attention. No active exploitation campaigns are currently known, but the availability of the vulnerability details makes it a potential target for opportunistic attackers. The vulnerability was published on 2024-11-12.
Healthcare providers and organizations utilizing SourceCodester Hospital Management System version 1.0 are at risk. This includes small clinics, private practices, and hospitals relying on this system for patient data management. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromise of one user's account could potentially impact others.
• php: Examine the /vm/doctor/edit-doc.php file for unsanitized user input. Search for instances where data from the name parameter is directly output to the page without proper encoding.
// Example of vulnerable code
<?php
echo $_GET['name']; // Vulnerable to XSS
?>• generic web: Monitor access logs for requests to /vm/doctor/edit-doc.php with unusual or suspicious parameters in the name query string. Look for patterns indicative of XSS payloads (e.g., <script>, <iframe>).
grep 'name=[^a-zA-Z0-9_]' /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.18% (40% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-11102 is to upgrade to version 1.0.1 of SourceCodester Hospital Management System. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the /vm/doctor/edit-doc.php file to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a temporary layer of protection. Regularly review and update security policies to prevent similar vulnerabilities in the future.
Actualice el sistema Hospital Management System a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, revise y filtre las entradas del parámetro 'name' en el archivo edit-doc.php para evitar la inyección de código malicioso. Considere deshabilitar temporalmente la funcionalidad afectada hasta que se pueda aplicar una solución.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-11102 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Hospital Management System version 1.0, allowing attackers to inject malicious scripts.
You are affected if you are using SourceCodester Hospital Management System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the /vm/doctor/edit-doc.php file.
While no active exploitation campaigns are currently known, the public disclosure of the vulnerability increases the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the advisory related to CVE-2024-11102.