平台
php
修复版本
1.0.1
CVE-2024-12001 describes a problematic cross-site scripting (XSS) vulnerability discovered in Wazifa System version 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /controllers/updatesettings.php file, specifically related to the handling of the 'firstname' parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-12001 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, phishing attacks, and defacement of the Wazifa System interface. The attacker could steal sensitive user data, redirect users to malicious websites, or even gain control of the application itself. Given the nature of XSS, the impact can be significant, especially if the Wazifa System handles sensitive information or is integrated with other critical systems. The vulnerability's remote accessibility broadens the attack surface.
CVE-2024-12001 has been publicly disclosed, increasing the likelihood of exploitation. While no active campaigns have been definitively linked to this specific CVE, the public availability of the vulnerability makes it a potential target for opportunistic attackers. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the ease of exploitation and potential impact warrant prompt remediation. The vulnerability was published on 2024-11-30.
Organizations and individuals using Wazifa System version 1.0 are at risk. This includes those deploying Wazifa System in production environments, development environments, or testing environments. Shared hosting environments where Wazifa System is installed alongside other applications are particularly vulnerable, as a compromise of one application could potentially lead to the compromise of others.
• php: Examine /controllers/updatesettings.php for improper handling of the 'firstname' parameter. Look for missing or inadequate input sanitization and output encoding.
• generic web: Monitor access logs for unusual requests targeting /controllers/updatesettings.php with suspicious parameters in the 'firstname' field. Use curl to test the endpoint with various payloads.
curl 'http://your-wazifa-system/controllers/updatesettings.php?firstname=<script>alert("XSS")</script>'disclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-12001 is to upgrade Wazifa System to version 1.0.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'firstname' parameter within /controllers/updatesettings.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update Wazifa System's security configuration to minimize the risk of similar vulnerabilities.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la ejecución de código XSS. Validar y limpiar las entradas del usuario, especialmente el parámetro 'firstname' en el archivo /controllers/updatesettings.php. Implementar una política de seguridad de contenido (CSP) para mitigar los ataques XSS.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-12001 is a cross-site scripting (XSS) vulnerability in Wazifa System version 1.0, affecting the /controllers/updatesettings.php file. Attackers can inject malicious scripts via the 'firstname' parameter.
Yes, if you are using Wazifa System version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 or later to mitigate the risk.
The recommended fix is to upgrade Wazifa System to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'firstname' parameter.
While no active campaigns have been definitively linked, the public disclosure of the vulnerability increases the risk of exploitation. Prompt remediation is advised.
Refer to the Wazifa System project's official website or repository for the latest security advisories and updates related to CVE-2024-12001.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。