平台
php
组件
blood-bank-donor-management-system
修复版本
2.4.1
CVE-2024-12982 describes a cross-site scripting (XSS) vulnerability discovered in PHPGurukul Blood Bank & Donor Management System version 2.4. This flaw allows an attacker to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability specifically impacts the /bbdms/admin/update-contactinfo.php file. A patch is available in version 2.4.1.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted Address parameter. When a user with sufficient privileges (likely an administrator) accesses this URL, the injected script will execute in their browser context. This could allow the attacker to steal session cookies, redirect the user to a phishing site, or deface the application's administrative interface. The potential impact extends to sensitive data stored within the Blood Bank & Donor Management System, including donor information and blood inventory details. While the CVSS score is LOW, the potential for privilege escalation within the administrative interface makes this a concerning vulnerability.
This vulnerability was publicly disclosed on December 27, 2024. A public proof-of-concept is likely to emerge given the ease of exploitation associated with XSS vulnerabilities. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns. The NVD entry was published on the same date as the public disclosure.
Organizations utilizing the PHPGurukul Blood Bank & Donor Management System version 2.4, particularly those with limited security resources or those who haven't implemented robust input validation practices, are at significant risk. Healthcare providers and blood banks relying on this system for managing donor information and blood inventory are especially vulnerable.
• php: Examine the /bbdms/admin/update-contactinfo.php file for unsanitized input handling of the Address parameter. Search for instances where user-supplied data is directly outputted to the HTML without proper encoding.
// Example of vulnerable code (simplified)
<?php
echo $_GET['Address']; // Vulnerable to XSS
?>• generic web: Monitor access logs for unusual requests to /bbdms/admin/update-contactinfo.php with suspicious characters in the Address parameter (e.g., <script>, javascript:).
• generic web: Check response headers for signs of script injection (e.g., Content-Security-Policy header missing or improperly configured).
• generic web: Use a web vulnerability scanner to automatically detect XSS vulnerabilities in the application.
disclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-12982 is to upgrade to version 2.4.1 of the Blood Bank & Donor Management System. This version includes a fix for the vulnerable parameter handling. If an immediate upgrade is not possible, consider implementing input validation and sanitization on the Address parameter within the /bbdms/admin/update-contactinfo.php file. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple script (e.g., <script>alert('XSS')</script>) into the Address field and verifying that the script does not execute.
升级到 PHPGurukul Blood Bank & Donor Management System 的补丁版本。如果尚无补丁版本可用,请审查并过滤 update-contactinfo.php 文件中 'Address' 字段的输入,以防止 XSS 代码执行。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-12982 is a cross-site scripting (XSS) vulnerability in PHPGurukul Blood Bank & Donor Management System 2.4, affecting the /bbdms/admin/update-contactinfo.php file. Attackers can inject malicious scripts via the Address parameter.
You are affected if you are using PHPGurukul Blood Bank & Donor Management System version 2.4. The vulnerability impacts the /bbdms/admin/update-contactinfo.php file.
Upgrade to version 2.4.1. If immediate upgrade is not possible, implement input validation and sanitization on the Address parameter and consider using a WAF.
There are currently no reports of active exploitation campaigns, but a public proof-of-concept is likely to emerge given the vulnerability's nature.
Refer to the PHPGurukul website and security advisories for the latest information regarding CVE-2024-12982 and available patches.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。