平台
php
组件
simple-admin-panel
修复版本
1.0.1
CVE-2024-12930 identifies a problematic cross-site scripting (XSS) vulnerability discovered in Simple Admin Panel versions 1.0. This flaw allows attackers to inject malicious scripts via manipulation of the c_name argument within the addCatController.php file. Affected users should upgrade to version 1.0.1 to mitigate this risk. The vulnerability was published on December 26, 2024.
The XSS vulnerability in Simple Admin Panel allows an attacker to inject arbitrary JavaScript code into the application. Successful exploitation could lead to session hijacking, defacement of the admin panel, or redirection of users to malicious websites. The attacker would need to craft a malicious request that includes a specially crafted c_name parameter. The impact is amplified if the admin panel is used to manage sensitive data or control critical system functions. While the CVSS score is LOW, the potential for user interaction and subsequent compromise makes this a notable security concern.
CVE-2024-12930 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available as of the publication date. The LOW CVSS score suggests a relatively low probability of active exploitation, but the ease of exploitation inherent in XSS vulnerabilities means that it could become a target for automated scanners and opportunistic attackers. The vulnerability was publicly disclosed on December 26, 2024.
Administrators and users of Simple Admin Panel version 1.0 are at risk. This includes organizations using the panel for internal management tasks, as well as shared hosting environments where the panel is deployed alongside other websites. Any system where the addCatController.php file is accessible via a web browser is potentially vulnerable.
• php / server:
grep -r "c_name" /var/www/simple-admin-panel/• generic web:
curl -I http://your-simple-admin-panel/addCatController.php?c_name=<script>alert(1)</script>disclosure
漏洞利用状态
EPSS
0.17% (38% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-12930 is to upgrade Simple Admin Panel to version 1.0.1, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the cname parameter within the addCatController.php file. This could involve restricting the allowed characters or encoding user-supplied input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Review access logs for suspicious requests containing unusual characters in the cname parameter.
升级到补丁版本或采取必要的安全措施,以防止通过文件 addCatController.php 中 c_name 参数注入恶意代码。验证并转义用户输入以防止 XSS 攻击。如果无法升级,请考虑禁用或删除该组件。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-12930 is a cross-site scripting vulnerability affecting Simple Admin Panel version 1.0, allowing attackers to inject malicious scripts via the c_name parameter in addCatController.php.
Yes, if you are using Simple Admin Panel version 1.0, you are affected by this vulnerability. Upgrade to version 1.0.1 to resolve the issue.
Upgrade Simple Admin Panel to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the c_name parameter.
While there is no confirmed active exploitation, the ease of exploitation inherent in XSS vulnerabilities means it could become a target.
Refer to the Simple Admin Panel project's official website or repository for the advisory and release notes for version 1.0.1.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。