平台
php
组件
zero-day
修复版本
1.0.1
CVE-2024-11677 is a cross-site scripting (XSS) vulnerability discovered in CodeAstro Hospital Management System, specifically affecting version 1.0. This vulnerability allows attackers to inject malicious scripts into the system, potentially compromising user accounts and data integrity. The affected component is the 'Add Vendor Details Page' located at /backend/admin/hisadminadd_vendor.php. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-11677 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the CodeAstro Hospital Management System. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application. An attacker could potentially gain access to sensitive patient data or manipulate hospital operations. The vulnerability's remote accessibility significantly increases the attack surface, making it a potential target for widespread exploitation. The disclosed nature of the exploit increases the likelihood of malicious actors actively targeting vulnerable systems.
CVE-2024-11677 has been publicly disclosed, increasing the risk of exploitation. The vulnerability is considered LOW severity based on the CVSS score. While no specific campaigns or KEV listing are currently associated with this CVE, the availability of a public exploit suggests that attackers may actively target vulnerable instances. The vulnerability was published on 2024-11-26.
Hospitals and healthcare facilities utilizing CodeAstro Hospital Management System version 1.0 are at direct risk. Organizations with legacy configurations or those who haven't implemented robust input validation practices are particularly vulnerable. Shared hosting environments where multiple users share the same server resources could also be affected, as a compromised vendor account could potentially impact other users.
• generic web: Use curl to test the /backend/admin/hisadminadd_vendor.php endpoint with various payloads containing <script>alert(1)</script> to observe reflected XSS.
curl -X POST -d "v_name=<script>alert(1)</script>" http://<target>/backend/admin/his_admin_add_vendor.php• generic web: Examine access and error logs for suspicious requests containing XSS payloads or unusual characters in the vname, vadr, vnumber, vemail, vphone, or vdesc parameters.
• php: Review the source code of /backend/admin/hisadminadd_vendor.php for inadequate input sanitization or output encoding.
disclosure
漏洞利用状态
EPSS
0.13% (33% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-11677 is to immediately upgrade CodeAstro Hospital Management System to version 1.0.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Add Vendor Details Page' to prevent the injection of malicious scripts. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies and procedures to ensure ongoing protection against similar vulnerabilities.
将医院管理系统更新到补丁版本或应用供应商提供的安全修复。在 his_admin_add_vendor.php 文件中对用户输入进行消毒,特别是参数 v_name、v_adr、v_number、v_email、v_phone 和 v_desc,以防止 XSS 代码注入。在服务器端实施数据验证和编码,以降低风险。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-11677 is a cross-site scripting (XSS) vulnerability affecting CodeAstro Hospital Management System version 1.0, allowing attackers to inject malicious scripts via vendor details page parameters.
If you are using CodeAstro Hospital Management System version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to CodeAstro Hospital Management System version 1.0.1 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no confirmed active exploitation campaigns are currently known, the vulnerability has been publicly disclosed, increasing the likelihood of exploitation.
Please refer to the CodeAstro website or contact their support team for the official advisory regarding CVE-2024-11677.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。