平台
php
组件
land-record-system
修复版本
1.0.1
CVE-2024-13081 is a cross-site scripting (XSS) vulnerability identified in PHPGurukul Land Record System versions 1.0 through 1.0. An attacker can exploit this flaw by manipulating the 'Page Description' parameter within the /admin/contactus.php file, potentially leading to the execution of malicious scripts in the context of a user's browser. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-13081 allows an attacker to inject arbitrary JavaScript code into the Land Record System's web interface. This can lead to various malicious outcomes, including session hijacking, defacement of the administrative panel, and redirection of users to phishing sites. The attacker could potentially steal sensitive data, such as user credentials or land records, depending on the system's configuration and the privileges of the affected user. Given the administrative context of /admin/contactus.php, a successful attack could grant the attacker control over the entire Land Record System.
CVE-2024-13081 has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW, the ease of exploitation and potential impact on sensitive data warrant attention. No known active campaigns targeting this vulnerability have been reported as of the publication date. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations utilizing PHPGurukul Land Record System version 1.0, particularly those with publicly accessible administrative interfaces, are at risk. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially lead to the compromise of the entire system.
• wordpress / composer / npm:
grep -r "Page Description" /var/www/html/admin/contactus.php• generic web:
curl -I http://your-land-record-system.com/admin/contactus.php?Page Description=<script>alert('XSS')</script>disclosure
漏洞利用状态
EPSS
0.13% (32% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-13081 is to upgrade to version 1.0.1 of PHPGurukul Land Record System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Page Description' parameter within the /admin/contactus.php file. This can involve stripping out potentially malicious HTML tags or encoding user-supplied input. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review and update the system's security configuration to minimize the attack surface. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the 'Page Description' field and verifying that it is properly sanitized.
升级到补丁版本或采取必要的安全措施,以防止在 /admin/contactus.php 文件的 'Page Description' 字段中注入恶意代码。正确验证和转义用户输入,以防止 XSS 攻击。如果未提供补丁版本,请考虑禁用或删除易受攻击的功能。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-13081 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Land Record System versions 1.0-1.0, allowing attackers to inject malicious scripts via the /admin/contactus.php file.
You are affected if you are using PHPGurukul Land Record System version 1.0. Check your version and upgrade if necessary.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Page Description' parameter.
While no active campaigns are currently confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Refer to the PHPGurukul website or security mailing lists for the official advisory regarding CVE-2024-13081.