平台
php
组件
e-commerce-php
修复版本
1.0.1
CVE-2024-13205 is a cross-site scripting (XSS) vulnerability discovered in E-Commerce-PHP version 1.0. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The affected component is the /admin/create_product.php file, specifically the 'Name' argument. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-13205 allows an attacker to inject arbitrary JavaScript code into the E-Commerce-PHP application. This can lead to a variety of malicious actions, including stealing user session cookies, redirecting users to phishing sites, or defacing the website. The impact is particularly severe if the application handles sensitive data or is used in a business-critical context. Given the publicly disclosed nature of the exploit, it is likely that attackers are actively scanning for vulnerable instances. The attack vector is remote, meaning an attacker does not need to be authenticated to exploit the vulnerability.
CVE-2024-13205 has been publicly disclosed, increasing the likelihood of exploitation. While the CVSS score is LOW (2.4), the ease of exploitation and potential impact warrant immediate attention. No KEV listing or active exploitation campaigns have been publicly reported as of the time of this writing. The vulnerability details are available on the NVD and CISA websites.
E-Commerce-PHP installations, particularly those running version 1.0 and accessible from the public internet, are at risk. Shared hosting environments that utilize E-Commerce-PHP are also vulnerable, as they may not have control over the application's version or configuration.
• php: Examine the /admin/create_product.php file for inadequate input sanitization of the 'Name' parameter.
• generic web: Monitor access logs for requests containing suspicious JavaScript code in the 'Name' parameter.
• generic web: Use a WAF to detect and block requests containing potentially malicious JavaScript payloads.
grep -i 'javascript:;' /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.06% (19% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-13205 is to upgrade to version 1.0.1 of E-Commerce-PHP. If upgrading is not immediately possible, consider implementing input validation and sanitization on the 'Name' argument in the /admin/create_product.php file. This can help prevent malicious scripts from being injected. Web application firewalls (WAFs) can also be configured to block requests containing suspicious JavaScript code. Thoroughly test the upgrade in a staging environment before deploying to production to avoid breaking changes. After upgrade, confirm by attempting to create a product with a specially crafted name containing JavaScript code; it should be properly sanitized and not execute.
升级到补丁版本或应用供应商提供的修复程序。如果未提供补丁版本,请清理 /admin/create_product.php 文件中 'Name' 字段的用户输入,以防止恶意代码注入。在页面上显示数据之前,验证并转义数据。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-13205 is a cross-site scripting (XSS) vulnerability affecting E-Commerce-PHP version 1.0, allowing attackers to inject malicious scripts via the /admin/create_product.php file.
If you are running E-Commerce-PHP version 1.0, you are potentially affected by this vulnerability. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 'Name' parameter in /admin/create_product.php.
While no active exploitation campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation.
Consult the E-Commerce-PHP project's official website or repository for the latest security advisories and updates.