平台
php
组件
zero-day
修复版本
1.0.1
CVE-2024-11675 describes a cross-site scripting (XSS) vulnerability discovered in CodeAstro Hospital Management System versions 1.0. This vulnerability allows attackers to inject malicious scripts into the application via manipulation of patient details within the Add Patient Details Page. Affected users should upgrade to version 1.0.1 to address this issue. The vulnerability has been publicly disclosed.
An attacker can exploit this XSS vulnerability by crafting malicious patient data containing JavaScript code. When a user with appropriate privileges views the modified patient record, the injected script will execute within their browser context. This could lead to session hijacking, redirection to phishing sites, or the theft of sensitive information displayed on the page. The impact is amplified if the application is used to manage patient records containing Personally Identifiable Information (PII), potentially leading to data breaches and regulatory compliance issues. Successful exploitation could also allow an attacker to deface the application or perform actions on behalf of the affected user.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No KEV listing or EPSS score is currently available. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and public disclosure. The vulnerability was published on 2024-11-26.
Hospitals and healthcare providers using CodeAstro Hospital Management System version 1.0 are at risk. Organizations relying on this system to manage patient data, particularly those with limited security expertise or outdated infrastructure, are especially vulnerable. Shared hosting environments where multiple applications share the same server resources may also be at increased risk.
• php: Examine the hisadminregisterpatient.php file for unsanitized input handling of patfname, patailment, patlname, patage, patdob, patnumber, patphone, pattype, and pataddr parameters.
// Example: Check for suspicious characters
if (preg_match('/<.*?>/', $_POST['pat_fname'])) {
// Log or block the request
}• generic web: Monitor access logs for requests to /backend/admin/hisadminregister_patient.php containing unusual or encoded characters in the URL parameters.
• generic web: Inspect the HTML source code of the patient details page for any unexpected JavaScript code or event handlers.
disclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-11675 is to upgrade CodeAstro Hospital Management System to version 1.0.1, which includes the necessary fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the Add Patient Details Page to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly review and update input validation routines to address potential bypasses.
Actualizar a una versión parcheada del sistema de gestión hospitalaria CodeAstro. Si no hay una versión disponible, revisar y sanitizar las entradas de usuario en el archivo /backend/admin/his_admin_register_patient.php, específicamente los parámetros pat_fname, pat_ailment, pat_lname, pat_age, pat_dob, pat_number, pat_phone, pat_type y pat_addr, para prevenir la inyección de código XSS.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-11675 is a cross-site scripting (XSS) vulnerability in CodeAstro Hospital Management System versions 1.0, allowing attackers to inject malicious scripts via patient data manipulation.
If you are using CodeAstro Hospital Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the Add Patient Details Page.
While no active exploitation has been confirmed, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Please refer to the CodeAstro website or relevant security mailing lists for the official advisory regarding CVE-2024-11675.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。