平台
php
组件
land-record-system
修复版本
1.0.1
CVE-2024-13077 is a problematic cross-site scripting (XSS) vulnerability identified in PHPGurukul Land Record System versions 1.0 through 1.0. This vulnerability resides within the /admin/add-property.php file and can be exploited through manipulation of the Land Subtype argument. A patch is available in version 1.0.1, addressing this security concern.
Successful exploitation of CVE-2024-13077 allows an attacker to inject malicious scripts into the Land Record System's web interface. This can lead to various consequences, including session hijacking, defacement of the administrative panel, and redirection of users to malicious websites. The attacker could potentially steal sensitive information, such as user credentials or property data, depending on the level of access granted to the compromised account. Given the administrative context of /admin/add-property.php, the impact could be significant if an administrator's session is compromised.
CVE-2024-13077 has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to this specific vulnerability, the availability of public information makes it a potential target for opportunistic attackers. The exploit's simplicity suggests a relatively low barrier to entry for exploitation. The vulnerability was added to the NVD on 2024-12-31.
Organizations utilizing PHPGurukul Land Record System version 1.0 are at risk. Specifically, those with publicly accessible administrative interfaces or those who haven't implemented robust input validation measures are particularly vulnerable. Shared hosting environments where multiple users share the same server instance are also at increased risk.
• php: Examine the /admin/add-property.php file for unsanitized input handling of the 'Land Subtype' parameter.
• generic web: Monitor access logs for requests to /admin/add-property.php with unusual or suspicious values in the Land Subtype parameter. Use curl to test the endpoint with various payloads: curl 'http://example.com/admin/add-property.php?Land%20Subtype=<script>alert("XSS")</script>'
• generic web: Check response headers for Content-Security-Policy (CSP) directives that could mitigate XSS attacks. curl -I http://example.com/admin/add-property.php
disclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-13077 is to upgrade PHPGurukul Land Record System to version 1.0.1 or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Land Subtype field to prevent malicious input. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting the /admin/add-property.php endpoint can provide an additional layer of protection. Regularly review and update input validation routines to prevent future XSS vulnerabilities.
升级到补丁版本或采取必要的安全措施以防止 XSS 代码执行。验证并转义用户输入,特别是 add-property.php 文件中的 'Land Subtype' 参数。考虑实施内容安全策略 (CSP) 以缓解 XSS 攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-13077 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /admin/add-property.php file.
Yes, if you are running PHPGurukul Land Record System version 1.0, you are affected by this XSS vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to PHPGurukul Land Record System version 1.0.1 or later. As a temporary workaround, implement input validation and sanitization on the Land Subtype field.
While no confirmed active campaigns have been reported, the public disclosure of the vulnerability increases the likelihood of exploitation by opportunistic attackers.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-13077 and the Land Record System.